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(57)Abstract: 

PROBLEM TO BE SOLVED: To exclude any illegal access by identifying any legal 
access with a small calculation quantity in single sign on type authentication for 
permitting plural times of access by single user authentication. 
SOLUTION: Secrecy information 4 is shared by a client means 1 and an 
authentication server means 2. The authentication server means 2 issues an 
authentication ticket 5 including collation information obtained by performing an 
irreversible arithmetic operation (f) on the secrecy information 4 (n) times. The client 
means 1 indicates this authentication ticket and presentation information obtained by 
performing an irreversible arithmetic operation (f) on the secrecy information 4 (n-k) 
times to a permission server means 3. The permission server means 3 performs the 
irreversible arithmetic operation (f) on the presented information (k) times, and 
checks whether or not this presented information matches the collation information. 
In this case, (k) is increased from 1 to (n) so that the authentication ticket 5 can be 
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used for the maximum (n) times of access without calculating the next presented 
information from the past presented information. 
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CLAIMS 



[Claim(s)] 

[Claim 1] An authentication server means to publish an authentication ticket, and a 
license server means to approve use of an authentication ticket, In an authentication 
system equipped with a client means to require an authentication ticket of said 
authentication server means, and to require use license of an authentication ticket of 
said license server means A client means to hold the authentication ticket whose 
count of effective is n (n is a positive integer), and for this to be shown, and to ask 
for use license, A license server means to require presentation information of said 
client means in response, to collate with said authentication ticket, and to approve 
use is provided. Said authentication ticket The authentication child is given including a 
ticket identifier, collating information, and the count of effective. Said collating 
information A predetermined irreversible operation is performed to the confidential 
information which said authentication server means and said client means share n 
times. Said presentation information in case the use count of said authentication 
ticket is k (k is a positive integer below n) is an authentication system characterized 
by performing said predetermined irreversible operation to said confidential 



information n-k times. 

[Claim 2] The authentication system according to claim 1 to which said authentication 
server means is characterized by managing user authentication information, 
performing a user authentication procedure between said client means, and publishing 
said authentication ticket. 

[Claim 3] It is the authentication system according to claim 2 which said 
authentication server means generates a random number in a user authentication 
procedure, this is shown, authentication presentation information is required of said 
client means, and said confidential information performs said predetermined 
irreversible operation to connection by said user authentication information and said 
random number once or more, and is characterized by said authentication 
presentation information performing said predetermined irreversible operation to said 
confidential information n times. 

[Claim 4] Said authentication server means generates a random number in a user 
authentication procedure, shows this, and requires authentication presentation 
information of a client means. Said authentication presentation information is as a 
result of [ of what performed said predetermined irreversible operation to connection 
by said user authentication information and said random number once or more, and 
the random number for authentication which said client means generated ] 
EXCLUSIVE OR operation. The authentication system according to claim 2 
characterized by said confidential information being said random number for 
authentication counted backward from said authentication presentation information. 
[Claim 5] An authentication system given in either of claims 2-4 characterized by said 
user authentication information being the password entered by the user. 
[Claim 6] An authentication system given in either of claims 2-4 characterized by said 
user authentication information being the common key system cryptographic key held 
in secrecy. 

[Claim 7] An authentication system given in either of claims 1-6 to which said 
authentication child is characterized by being a message authorization code. 
[Claim 8] An authentication system given in either of claims 1-6 to which said 
authentication child is characterized by being a digital signature. 
[Claim 9] An authentication system given in either of claims 1-8 to which said 
predetermined irreversible operation is characterized by on the other hand being a 
tropism hash operation. 

[Claim 10] An authentication system given in either of claims 1-9 to which said 
authentication ticket is characterized by including a server identifier. 
[Claim 1 1] An authentication system given in either of claims 1-10 to which said 
authentication ticket is characterized by including the time of the date of issue. 
[Claim 12] The authentication system according to claim 1 1 characterized by for said 
authentication ticket updating the collating information on said authentication ticket, 
the count of effective, the time of the date of issue, a publisher identifier, and an 



authentication child including a publisher identifier while said license server means 
carries out use license, for said collating information being updated by what performed 
said predetermined irreversible operation to said confidential information n-k times, 
and said count of effective being updated by n-k. 

[Claim 13] An authentication system given in either of claims 1-12 to which said 
license server means is characterized by having managed the use count of said 
authentication ticket, showing this, and requiring presentation information. 
[Claim 14] An authentication system given in either of claims 1-12 to which said 
client means is characterized by having managed the use count of said authentication 
ticket, showing this with said authentication ticket, and asking for use license. 
[Claim 15] It has said two or more license server means and the authentication ticket 
management tool which manages the use count of said authentication ticket. Said 
client means It is what has managed the use count of said authentication ticket, 
shows this with said authentication ticket, and asks for use license. Said 
authentication server means While publishing said authentication ticket, the shelf 
registration of said authentication ticket is directed to said authentication ticket 
management tool. Said license server means An authentication system given in either 
of claims 1-1 1 characterized by not carrying out use license when the renewal of 
hysteresis of said authentication ticket is directed to said authentication ticket 
management tool in response to presentation of said authentication ticket and the 
notice of refusal is received from said authentication ticket management tool. 
[Claim 16] Said license server means two or more preparations and said client means 
It is what has managed the use count of said authentication ticket, shows this with 
said authentication ticket, and asks for use license. Said authentication server means 
Issue hysteresis is memorized while publishing said authentication ticket. Said license 
server means Memorize updating hysteresis, while updating said authentication ticket, 
and it refers for the hysteresis of said authentication ticket to said authentication 
server means which the publisher identifier of said authentication ticket shows in 
response to presentation of said authentication ticket, or said license server means. 
The authentication system according to claim 1 2 characterized by not carrying out 
use license when the notice of refusal is received from said authentication server 
means or said license server means. 

[Claim 17] It is an authentication system given in either of claims 14-16 which said 
license server means generates a random number in a use license procedure, and 
show this, require presentation information, and are characterized by said 
presentation information in case the use count of said authentication ticket is k being 
as a result of [ of what performed said predetermined irreversible operation to said 
confidential information n-k times, and said random number ] EXCLUSIVE OR 
operation. 

[Claim 18] An authentication server means to publish an authentication ticket, and a 
license server means to approve use of an authentication ticket, In an authentication 



system equipped with a client means to require an authentication ticket of said 
authentication server means, and to require use license of an authentication ticket of 
said license server means An input means by which said client means obtains the 
input of the count of effective of a user-identification child, user authentication 
information, a server identifier, and an authentication ticket, A ticket maintenance 
means to obtain and hold an authentication ticket from said authentication server 
means, and to show said license server means, A processing selection means to 
acquire the existence information on an authentication ticket and to choose 
processing from said ticket maintenance means, A hash means to obtain a random 
number and to perform a hash operation to these connection from said authentication 
server means while acquiring user authentication information from said input means, A 
secret storage means to memorize in secrecy the hash value obtained from said hash 
means, Take out a hash value from said secret storage means, and the count n of 
effective (n is a positive integer) is obtained from said input means in a user 
authentication procedure. The multistage hash value which performed and obtained n 
steps of hash operations for said authentication server means Delivery, In a use 
license procedure, the count k of use (k is a positive integer below n) is obtained from 
said license server means. An authentication information storage means by which 
provided a multistage hash means to send the multistage hash value which performed 
and obtained the hash operation of a n-k stage to said license server means, and user 
authentication information was accumulated for said authentication server means, 
The 2nd multistage hash means which performs n+1 step of hash operation to 
connection by the random-number generation means which generates a random 
number and is sent to said client means, and the user authentication information 
acquired from said authentication information storage means and the random number 
generated with said random-number generation means, An authentication collating 
means to collate with the multistage hash value which obtained the multistage hash 
value obtained from said client means with said 2nd multistage hash means, a ticket 
identifier generation means to generate an effective ticket identifier, and the 
authentication which clocks time of day and outputs time information — a time check 
— with a means The ticket identifier obtained from said ticket identifier generation 
means, the multistage hash value obtained from said authentication collating means, 
the server identifier obtained from said client means and the count of effective, and 
said authentication — a time check — the time stump based on the time information 
acquired from the means — An authentication child is added to connection of the 
publisher identifier which shows an authentication server means to a list. An 
authentication child verification means to verify the authentication child of the 
authentication ticket which possessed the authentication child addition means sent to 
said client means as an authentication ticket, and said license server means obtained 
from said client means, the license which clocks time of day and outputs time 
information — a time check — a means, the validity of a server identifier and a time 



stump, and said license — a time check — with a ticket effective judging means to 
check the effectiveness of a difference with the time information acquired from the 
means The ticket use management tool which remains with the ticket identifier of an 
authentication ticket, and the count of use, and manages the count of available, The 
3rd multistage hash means which outputs the secondary multistage hash value which 
performed and obtained k steps of hash operations from said ticket use management 
tool to the multistage hash value which obtained the count k of use and was obtained 
from said client means, The authentication system characterized by providing a 
license collating means to collate the multistage hash value obtained from said ticket 
use management tool, and the secondary multistage hash value obtained from said 
3rd multistage hash means. 

[Claim 19] A server common key storage means by which said authentication child 
addition means memorizes the common key system cryptographic key shared 
between servers, A data connection means to connect a self-identifier storage means 
to memorize a selfHdentifier, and a ticket identifier, a multistage hash value, the 
count of effective, a time stump, a server identifier and the publisher identifier 
obtained from said self-identifier storage means, A connection data hash means to 
perform a hash operation to the connection data obtained from said data connection 
means, The common key system cryptographer stage which enciphers the hash value 
obtained from said connection data hash means using the common key system 
cryptographic key obtained from said server common key storage means, and is made 
into an authentication child, An authentication child connection means to connect the 
connection data obtained from said data connection means and the authentication 
child who got from said common key system cryptographer stage is provided. The 2nd 
server common key storage means said authentication child verification means 
remembers the common key system cryptographic key shared between servers to be, 
An authentication child separation means to divide an authentication ticket into 
connection data and an authentication child, A data separation means to divide into a 
ticket identifier, a multistage hash value, the count of effective, a time stump, a 
server identifier, and a publisher identifier the connection data obtained from said 
authentication child separation means, The 2nd connection data hash means which 
performs a hash operation to the connection data obtained from said authentication 
child separation means, The 2nd common key system cryptographer stage which 
enciphers the hash value obtained from said 2nd connection data hash means using 
the common key system cryptographic key obtained from said 2nd server common 
key storage means, and is made into the authentication child for a comparison, A 
publisher identifier collating means to confirm that the publisher identifier obtained 
from said data separation means is an effective server identifier, The authentication 
system according to claim 18 characterized by providing a comparison means to 
compare the authentication child for a comparison who got from said 2nd common 
key system cryptographer stage with the authentication child who got from said 



authentication child separation means when the collating result obtained from said 
publisher identifier collating means showed the owner effect, and to output a result. 
[Claim 20] A self-private key storage means by which said authentication child 
addition means memorizes the public key system code private key of an 
authentication server in secrecy, A data connection means to connect a self- 
identifier storage means to memorize a self-identifier, and a ticket identifier, a 
multistage hash value, the count of effective, a time stump, a server identifier and the 
publisher identifier obtained from said self-identifier storage means, A connection 
data hash means to perform a hash operation to the connection data obtained from 
said data connection means, The public key system cryptographer stage which 
enciphers the hash value obtained from said connection data hash means using the 
public key system code private key obtained from said self-private key storage means, 
and is made into an authentication child, An authentication child separation means by 
which provide an authentication child connection means to connect the connection 
data obtained from said data connection means, and the authentication child who got 
from said public key system cryptographer stage, and said authentication child 
verification means divides an authentication ticket into connection data and an 
authentication child, A data separation means to separate and output the connection 
data obtained from said authentication child separation means to a ticket identifier, a 
multistage hash value, the count of effective, a time stump, a server identifier, and a 
publisher identifier, The 2nd connection data hash means which performs a hash 
operation to the connection data obtained from said authentication child separation 
means, A server public key are recording means to output the public key system code 
public key corresponding to the publisher identifier which the public key system code 
public key of an effective server was accumulated, and was obtained from said data 
separation means, The public key system decode means which decodes the 
authentication child who got from said authentication child separation means using 
the public key system code public key obtained from said server public key are 
recording means, and is made into the hash value for a comparison, The 
authentication system according to claim 18 characterized by providing a comparison 
means to compare the hash value obtained from said connection data hash means 
with the hash value for a comparison obtained from said public key system decode 
means, and to output a result. 

[Claim 21] Said client means possesses an authentication random-number generation 
means and the 1st exclusive-OR means. Said random-number generation means for 
authentication The random number for authentication is generated in a user 
authentication procedure. Said 1st exclusive-OR means The disturbance hash value 
which obtained by performing EXCLUSIVE OR operation of the random number for 
authentication obtained from said random-number generation means for 
authentication in the user authentication procedure, and the hash value obtained from 
said hash means for said authentication server means Delivery, Said secret storage 



means memorizes in secrecy the random number for authentication obtained from 
said random-number generation means for authentication. Said multistage hash 
means Take out the random number for authentication from said secret storage 
means, and the count k of use is obtained from said license server means in a use 
license procedure. The multistage hash value which performed and obtained the hash 
operation of a n-k stage for said license server means Delivery, Said authentication 
server means possesses the 2nd hash means and the 2nd exclusive-OR means 
instead of said authentication collating means. Said 2nd hash means A hash operation 
is performed to connection by the user authentication information acquired from said 
authentication information storage means, and the random numbers generated with 
said random-number generation means. Said 2nd exclusive-OR means Perform 
EXCLUSIVE OR operation of the hash value obtained from said 2nd hash means, and 
the disturbance hash value obtained from said client means, and the random number 
for authentication is acquired. Said 2nd multistage hash means performs n steps of 
hash operations by the random numbers for authentication obtained from said 2nd 
exclusive-OR means. Said authentication child addition means The ticket identifier 
obtained from said ticket identifier generation means, the multistage hash value 
obtained from said 2nd multistage hash means, the server identifier obtained from said 
client means and the count of effective, and said authentication — a time check — 
the time stump based on the time information acquired from the means — An 
authentication system given in either of claims 1 8-20 characterized by adding an 
authentication child to connection of tho publisher identifier which shows an 
authentication server means to a list, and sending to said client means as an 
authentication ticket. 

[Claim 22] Said license server means possesses the 3rd hash means and the 2nd 
authentication child addition means instead of said 3rd multistage hash means. Said 
3rd hash means The secondary multistage hash value which performed and obtained 
the hash operation to the multistage hash value obtained from said client means is 
outputted. Said license collating means The multistage hash value obtained from said 
ticket use management tool and the secondary multistage hash value obtained from 
said 3rd hash means are collated. Said 2nd authentication child addition means The 
ticket identifier, the server identifier, and the count of the remaining use which were 
obtained from said ticket use management tool, the multistage hash value obtained 
from said client means, and said license — a time check — the time stump based on 
the time information acquired from the means — An authentication system given in 
either of claims 18-21 characterized by adding an authentication child to connection 
of the publisher identifier which shows a license server means to a list, and sending to 
said client means as an authentication ticket. 

[Claim 23] One or more license server means and the authentication ticket 
management tool which manages issue of an authentication ticket and a use situation 
are provided. Said authentication ticket management tool remains with a ticket 



identifier and the count of effective based on the authentication ticket shelf 
registration directions obtained from said authentication server means, and a group 
with the count of use is managed. Adjustment with the renewal directions of 
authentication ticket hysteresis obtained from said license server means is checked. 
In the case of mismatching, delivery and said authentication server means possess a 
ticket registration directions means for the notice of authentication ticket refusal at 
said license server means. Said ticket registration directions means Authentication 
ticket shelf registration directions are generated from the ticket identifier obtained 
from said ticket identifier generation means, the server identifier obtained from said 
client means, and the count of effective. To said authentication ticket management 
tool Delivery, Said client means possesses the ticket maintenance management tool 
replaced with said ticket maintenance means, and the 1st exclusive-OR means. Said 
ticket maintenance management tool While obtaining and holding an authentication 
ticket from said authentication server means, the count of use is managed, and they 
are shown to said license server means. Said multistage hash means The multistage 
hash value which took out the hash value from said secret storage means, and 
performed and obtained n steps of hash operations in the user authentication 
procedure for said authentication server means Delivery, The count k of use obtained 
from said ticket maintenance management tool in the use license procedure is 
obtained. The multistage hash value which performed and obtained the hash operation 
of a n-k stage for said 1st exclusive-OR means delivery and said 1st exclusive-OR 
means EXCLUSIVE OR operation of the multistage hash value obtained from said 
multistage hash means and the random number obtained from said license server 
means is performed. The disturbance multistage hash value of a result for said license 
server means Delivery, Said license server means possesses the renewal directions 
means of a ticket replaced with a ticket use management tool, the 2nd random- 
number generation means, and the 2nd exclusive-OR means. Said renewal directions 
means of a ticket The renewal directions of authentication ticket hysteresis are 
generated from the ticket identifier and server identifier which were obtained from 
said authentication child verification means when the judgment result obtained from 
said ticket effective judging means showed the owner effect, and the count of use 
obtained from said client means. To said authentication ticket management tool 
Delivery, The count k of use obtained from said client means when the notice of 
authentication ticket refusal was not returned from said authentication ticket 
management tool, and the multistage hash value obtained from said authentication 
child verification means are outputted. Said 2nd random-number generation means 
generates a random number. For said client means and said 2nd exclusive-OR means 
delivery and said 2nd exclusive-OR means Perform EXCLUSIVE OR operation of the 
random number obtained from said 2nd random-number generation means, and the 
disturbance multistage hash value obtained from said client means, and a multistage 
hash value is acquired. Said 3rd multistage hash means outputs the secondary 



multistage hash value which performed and obtained k steps of hash operations to the 
multistage hash value obtained from said 2nd exclusive-OR means. Said 
authentication ticket management tool remains with a ticket identifier and the count 
of effective based on the authentication ticket shelf registration directions obtained 
from said authentication server means, and a group with the count of use is managed. 
An authentication system given in either of claims 18-21 characterized by checking 
adjustment with the renewal directions of authentication ticket hysteresis obtained 
from said license server means, and sending the notice of authentication ticket 
refusal at said license server means in the case of mismatching. 
[Claim 24] One or more license server means are provided, and said authentication 
server means possesses a ticket issue management tool. Said ticket issue 
management tool The ticket identifier obtained from said ticket identifier generation 
means, the server identifier obtained from said client means, and the count of 
effective are managed. Search a ticket identifier based on the ticket use enquiry 
obtained from said license server means, and the adjustment of the count of use is 
checked. The ticket maintenance management tool with which delivery and said client 
means replace the notice of authentication ticket refusal for said ticket maintenance 
means at said license server means in the case of mismatching, The 1st exclusive- 
OR means is provided. Said ticket maintenance management tool While obtaining and 
holding an authentication ticket from said authentication server means, the count of 
use is managed, and they are shown to said license server means. Said multistage 
hash means The multistage hash value which took out the hash value from said 
secret storage means, and performed and obtained n steps of hash operations in the 
user authentication procedure for said authentication server means Delivery, The 
count k of use obtained from said ticket maintenance management tool in the use 
license procedure is obtained. The multistage hash value which performed and 
obtained the hash operation of a n-k stage for said 1st exclusive-OR means delivery 
and said 1st exclusive-OR means EXCLUSIVE OR operation of the multistage hash 
value obtained from said multistage hash means and the random number obtained 
from said license server means is performed. The disturbance multistage hash value 
of a result for said license server means Delivery, Said license server means 
possesses the renewal management tool of a ticket replaced with said ticket use 
management tool, and the 2nd random-number generation means and the 2nd 
exclusive-OR means. Said renewal management tool of a ticket Ticket use enquiry is 
generated from the ticket identifier and server identifier which were obtained from 
said authentication child verification means when the judgment result obtained from 
said ticket effective judging means showed the owner effect, and the count of use 
obtained from said client means. As opposed to said authentication server means or 
the 2nd license server means which a publisher identifier shows Delivery, When the 
notice of authentication ticket refusal is not returned from said authentication server 
means or said 2nd license server means, while outputting the count of use obtained 



from said client means, and the multistage hash value obtained from said 
authentication child verification means When a ticket identifier, a server identifier, and 
the count of the remaining use are managed and ticket use enquiry is received from 
said 2nd license server means, the adjustment of the count of use is checked. In the 
case of mismatching, the notice of authentication ticket refusal at said 2nd license 
server means delivery and said 2nd random-number generation means A random 
number is generated. For said client means and said 2nd exclusive-OR means delivery 
and said 2nd exclusive-OR means EXCLUSIVE OR operation of the random number 
obtained from said 2nd random-number generation means and the disturbance 
multistage hash value obtained from said client means is performed, and a multistage 
hash value is acquired. Said 2nd hash means The secondary multistage hash value 
which performed and obtained the hash operation to the multistage hash value 
obtained from said 2nd exclusive-OR means is outputted. Said 2nd authentication 
child addition means The ticket identifier, the server identifier, and the count of the 
remaining use which were obtained from said ticket management tool, the multistage 
hash value obtained from said 2nd exclusive-OR means, and said license — a time 
check — the time stump based on the time information acquired from the means — 
The authentication system according to claim 22 characterized by adding an 
authentication child to connection of the publisher identifier which shows a license 
server means to a list, and sending to said client means as an authentication ticket. 
[Claim 25] An authentication server means to publish an authentication ticket, and a 
license server means to approve use of an authentication ticket, In the authentication 
approach of an authentication system equipped with a client means to require an 
authentication ticket of said authentication server means, and to require use license 
of an authentication ticket of said license server means Include n (n is positive 
integer) time almsgiving ****** information for a predetermined irreversible operation 
in the confidential information which an authentication server means and a client 
means share for a client means from an authentication server means. The 
authentication ticket whose count of effective is n is published. A client means Said 
authentication ticket is shown in a license server means, it asks for use license, and a 
demand of the presentation information on a license server means is received. A 
client means When the use count of said authentication ticket is k (k is a positive 
integer below n), It is the authentication approach characterized by showing the result 
of an operation which performed said predetermined irreversible operation to said 
confidential information n-k times as said presentation information, and for a license 
server means performing said predetermined irreversible operation to said 
presentation information k times, and identifying coincidence with the result of an 
operation and said collating information. 

[Claim 26] An authentication server means to publish an authentication ticket, and a 
license server means to approve use of an authentication ticket, In the authentication 
approach of an authentication system equipped with a client means to require an 



authentication ticket of said authentication server means, and to require use license 
of an authentication ticket of said license server means Include n (n is positive 
integer) time almsgiving ****** information for a predetermined irreversible operation 
in the confidential information which an authentication server means and a client 
means share for a client means from an authentication server means. The 
authentication ticket whose count of effective is n is published. A client means Said 
authentication ticket is shown in a license server means, it asks for use license, and a 
demand of the presentation information on a license server means is received. A 
client means When the use count of said authentication ticket is k (k is a positive 
integer below n), The result of an operation which performed said predetermined 
irreversible operation to said confidential information n-k times is shown as said 
presentation information. A license server means The authentication approach 
characterized by updating the collating information included in said authentication 
ticket to the result of an operation which performed said predetermined irreversible 
operation to said confidential information n-k times while performing said 
predetermined irreversible operation to said presentation information once and 
identifying coincidence with the result of an operation and said collating information. 
[Claim 27] Said authentication server means shows a random number to a client 
means to require an authentication ticket, and authentication presentation information 
is required. A client means The result of an operation which performed said 
predetermined irreversible operation to connection by user authentication information 
and said random numbers once [ n+] is shown as said authentication presentation 
information. An authentication server means Said predetermined irreversible operation 
is performed to connection by the user authentication information currently held and 
said random numbers once [ n+]. If coincidence with the result of an operation and 
said authentication presentation information is checked, the result of an operation 
which performed said predetermined irreversible operation to connection by said user 
authentication information and said random number once will be made into said 
confidential information. The authentication approach according to claim 25 or 26 
characterized by publishing the authentication ticket which includes n (n is positive 
integer) time almsgiving ****** collating information for a predetermined irreversible 
operation in this. 

[Claim 28] Said authentication server means shows a random number to a client 
means to require an authentication ticket, and authentication presentation information 
is required. A client means The EXCLUSIVE-OR-operation result of what performed 
said predetermined irreversible operation to connection by user authentication 
information and said random numbers once or more, and the random number for 
authentication which the client means generated is shown as said authentication 
presentation information. An authentication server means counts said random number 
for authentication backward from said authentication presentation information using 
the user authentication information currently held and said random number, and 



makes said random number for authentication said confidential information. The 
authentication approach according to claim 25 or 26 characterized by publishing the 
authentication ticket which includes n (n is positive integer) time almsgiving ****** 
collating information for a predetermined irreversible operation in this. 
[Claim 29] The authentication processing program record medium with which the 
computer recorded the processing program of the authentication approach performed 
by the authentication system of a publication by either of claims 1-24, or the 
authentication approach given in either of claims 25-28 in the format in which read is 
possible. 



DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] Client equipment makes cipher processing in client equipment 
unnecessary, and enables it to process this invention also with equipment with low 
computation capacity especially about the authentication approach of a single sign-on 
mold and authentication system which permit access of multiple times with one 
processing in which the validity of accessing server equipment is judged. 
[0002] 

[Description of the Prior Art] The server client mold system which consists of the 
server equipment and client equipment which were connected through the network 
with development of a digital-communication technique in recent years is general. In 
such a server client mold system, it is important that it checks that client equipment 
and its user have the just authority to access server equipment, and unjust access is 
made not to be performed. Although what is depended on a password input is well 
known as the authentication approach of checking this access permission, while the 
method of asking for a password input whenever it accesses is safe, since it is 
inconvenient, for a user, the authentication approach of the single sign-on mold which 
raised convenience has come to be used. Generally as the authentication approach of 
such a single sign-on mold, TTP (Trusted Third-party Protocol) used by the Kerberos 
authentication system is known, for example. 

[0003] Hereafter, it explains, referring to a drawing about the authentication approach 
of the conventional single sign-on mold. Drawing 23 is the conceptual diagram 
showing the outline of the authentication approach of the conventional single sign-on 
mold, and drawing 24 is the protocol sequence diagram showing a protocol. In drawing 
23 and drawing 24 , they are a client means by which 81 has a user interface, an 
authentication server means by which 82 performs user authentication, and a license 



server means for 83 to judge an access permission and to perform use license. 
[0004] In the user authentication procedure of the client means 81 and the 
authentication server means 82, the authentication server means 82 returns the 
authentication response Authorize Request802 accompanied by the session key SK 
with which the client means 81 was enciphered by the authentication server means 
82 considering Password PW as a key to delivery and this in authentication demand 
Authenticate Request801 which became also considering the user-identification child 
UID inputted through the user interface, and the server identifier SID as 
authentication presentation information with the authentication ticket Ticket803. 
[0005] Furthermore, it sets for the use license procedure of the client means 81 and 
the license server means 83. The license demand Authorize Request804 which the 
client means 81 became also considering the user-identification child UID enciphered 
with the session key SK, and the time stump TSk as presentation information for the 
license server means 83 with the authentication ticket Ticket805 Delivery, On the 
other hand, the license server means 83 verifies the presentation information and the 
authentication ticket Ticket805 in the authentication demand Authorize Request804, 
and if it admits being just, it will return the notice Result806 of license. 
[0006] It explains in the authentication approach of the conventional single sign-on 
mold with the above protocol sequences, referring to drawing 25 about the 
configuration below. Drawing 25 is the functional block diagram showing the 
configuration of the authentication approach of the conventional single sign-on mold. 
Also in drawing 25 , they are a client means by which 81 has a user interface, an 
authentication server means by which 82 performs user authentication, and a license 
server means for 83 to judge an access permission and to perform use license. 
[0007] 1st transceiver means 31 1 by which the client means 81 transmits and 
receives data, An input means 811 to obtain the input from a user, and a session key 
decode means 812 to decode the received session key, A ticket maintenance means 
314 to hold the received authentication ticket, and a processing selection means 315 
to choose processing according to the maintenance condition of an authentication 
ticket, a secret storage means 316 to memorize the decoded session key in secrecy, 
and the certification which clocks time of day — a time check — it consists of a 
means 813 and a certification information cryptographer stage 814 which enciphers 
attested certification information using a session key. 

[0008] Moreover, 2nd transceiver means 321 by which the authentication server 
means 82 transmits and receives data, the authentication which clocks time of day — 
a time check — with a means 322 and an authentication information storage means 
323 by which user authentication information, such as a password, was accumulated It 
consists of a session key generation means 821 to generate a cryptographic key for 
every user authentication processing, a session key cryptographer stage 822 which 
enciphers a session key using a password, and a ticket cryptographer stage 823 which 
enciphers an authentication ticket using a session key. 



[0009] Moreover, 3rd transceiver means 331 by which the license server means 83 
transmits and receives data, the license which clocks time of day — a time check — 
with a means 332 and a ticket decode means 831 to decode an authentication ticket 
A ticket effective judging means 832 to perform the effectiveness judging of an 
authentication ticket, It consists of license collating means 835 which carry out 
comparison collating of a certification information decode means 833 to decrypt 
attested certification information, a certification information effective judging means 
834 to perform the effectiveness judging of attested certification information, and the 
contents of the authentication ticket and the contents of attested certification 
information. 

[0010] It explains in the authentication approach of the conventional single sign-on 
mold constituted as mentioned above, referring to drawing 26 about the actuation 
below. First, in the client means 81, the password PW for user authentication 
beforehand registered into the authentication server means 82 with the user- 
identification child UID who shows the user itself, and the server identifier SID of the 
object which obtains use license are inputted into the input means 811 as a user 
input 800 (ST3101, ST8101). The input means 811 takes out the server identifier 3101, 
and sends it to the ticket maintenance means 314 while it holds a user input 800 
temporarily. The ticket maintenance means 314 searches the authentication ticket 
data corresponding to the server identifier 3101 (ST3102), and sends the notice 3102 
of a retrieval result to the processing selection means 315. The processing selection 
means 315 sends the notice 8102 of use license procedure starting to said ticket 
maintenance means 314, the secret storage means 316, and the certification 
information cryptographer stage 814, when the notice 3102 of a retrieval result shows 
non-** and delivery and owner ** are shown for the notice 8101 of user 
authentication processing starting in said input means 81 1 (ST3103). 
[0011] Through the 1st transceiver means 311, as authentication demand 
Authenticate Request801, delivery (ST8102) and the user-identification child 8104 will 
be seen off in the certification information cryptographer stage 814, and said input 
means 81 1 will see off delivery and a password 8105 for the group 8103 of the user- 
identification child and server identifier which were taken out from the user input 800 
held temporarily to the session key decode means 812 at the authentication server 
means 82, if the notice 8101 of user authentication starting is given. 
[0012] In the authentication server means 82, the user-identification child 8201 from 
whom authentication demand Authenticate Request801 was received and taken out 
with the 2nd transceiver means 321 is seen off in the authentication information 
storage means 323 and the ticket cryptographer stage 823, and the server identifier 
8202 is sent to the ticket cryptographer stage 823 (ST8201). The authentication 
information storage means 323 searches the password corresponding to the user- 
identification child 8201 (ST8202), and when it is, a password 8203 is sent to the 
session key cryptographer stage 822, and it sends delivery and the notice 8204 of a 



retrieval result to the session key generation means 821 and the session key 
cryptographer stage 822 (ST8203). When the notice 8204 of a retrieval result shows 
owner **, the session key generation means 821 newly generates the random session 
key 8205, and sends it to the session key cryptographer stage 822 and the ticket 
cryptographer stage 823 (ST8204). When the notice 8204 of a retrieval result shows 
owner **, the session key cryptographer stage 822 generates the encryption session 
key 8206 which used the password 8203 and enciphered the session key 8205 
(ST8205), and sends this to the client means 81 as authentication response 
Authenticate Response802 through the 2nd transceiver means 321 (ST8207). 
authentication — a time check — the means 322 has clocked current time and 
supplies the time stump 3212 based on current time to the ticket cryptographer stage 
823. The ticket cryptographer stage 823 generates the authentication ticket data 
8207 which held inside and enciphered the user-identification child 8201, the server 
identifier 8202, the time stump 3212, and the session key 8205 using the server 
common key corresponding to the server identifier 8202 (ST8202, ST8206), and sends 
this to the client means 81 as an authentication ticket Ticket803 through the 2nd 
transceiver means 321 (ST8207). 

[0013] In the client means 81, authentication response Authenticate Response802 is 
sent to the session key decode means 812 as an encryption session key 8106 
through the 1st transceiver means 31 1, and the authentication ticket Ticket803 is 
sent to said ticket maintenance means 314 as authentication ticket data 8108 through 
the 1st transceiver means 31 1 (ST8103). Said ticket maintenance means 314 matches 
the authentication ticket data 8108 with the server identifier 3101, and holds them 
(ST3112). The session key decode means 812 decrypts the encryption session key 
8106 using a password 8105 (ST8104). Therefore, only when a right password is 
entered, a right session key can be obtained. The session key 8107 obtained with the 
session key decode means 812 is sent to the secret storage means 316, and is 
memorized. 

[0014] The secret storage means 316 sends the memorized session key 8109 to the 
certification information cryptographer stage 814, when the session key 8107 is 
memorized in secrecy, only predetermined access is permitted and the notice 8102 of 
use license procedure starting is given (ST8105). certification — a time check — the 
means 813 has clocked current time and supplies the time stump 81 10 based on 
current time to the certification information cryptographer stage 814. If the notice 
8102 of use license procedure starting is given, the certification information 
cryptographer stage 814 will generate the attested certification information 81 1 1 
which enciphered the user-identification child 8104 and the time stump 8110 using 
the session key 8109 (ST8106), and will send this to the license server means 83 as 
license demand Authorize Request804 through the 1st transceiver means 31 1 
(ST8107). Said ticket maintenance means 314 will send the held authentication ticket 
data 81 12 corresponding to the server identifier 3101 to the license server means 83 



as an authentication ticket Ticket805 through the 1st transceiver means 31 1, if the 
notice 8102 of use license procedure starting is given (ST8107). 
[0015] In the license server means 83, the license demand Authorize Request804 is 
sent to the certification information decode means 833 as attested certification 
information 8308 through the 3rd transceiver means 331, and the authentication 
ticket Ticket805 is sent to the ticket decode means 831 as authentication ticket data 

8301 through the 3rd transceiver means 331 (ST8301). Decrypt the ticket decode 
means 831 using the self-server common key which held the authentication ticket 
data 8301 inside, the user-identification child 8302 and the server identifier 8303 
which were obtained, and a time stump 8304 are sent to the ticket effective judging 
means 832, and delivery and the session key 8305 are sent to the certification 
information decode means 833 (ST8302). license — a time check — the means 332 
has clocked current time and supplies the current time information 8306 to the ticket 
effective judging means 832 and the certification information effective judging means 
834. The ticket effective judging means 832 confirms that the difference of a time 
stump 8304 and the current time information 8306 is within the limits of a 
predetermined expiration date, when all are truth, makes the user-identification child 

8302 the ticket user-identification child 8307, and sees him off in the license collating 
means 835, while it performs the coincidence judging with the server identifier 8303 
and the self-server identifier held inside (ST3306, ST3307). The certification 
information decode means 833 decrypts the attested certification information 8308 
using the session key 8305, and the user-identification child 8309 and time stump 
8310 which were obtained are sent to the certification information effective judging 
means 834 (ST8303). Since attested certification information is enciphered using the 
session key with the client means, only when a right session key is used with a client 
means, a right user-identification child and a time stump are obtained here. The 
certification information effective judging means 834 confirms that the difference of a 
time stump 8310 and the current time information 8306 is within the limits of 
predetermined time difference, when it is truth, makes the user-identification child 
8309 the certification user-identification child 831 1, and sees him off in the license 
collating means 835 (ST8304, ST8305). The license collating means 835 performs the 
coincidence judging with the ticket user-identification child 8307 and the certification 
user-identification child 831 1 (ST8306), and if it is truth, the client means 81 will 
receive the notice 8312 of license in delivery (ST8307, ST3317) and the client means 
81 through the 3rd transceiver means 331 as notice Result806 of license (ST31 18). 
When a coincidence judging becomes truth at this time, the user-identification child 
and the time stump are obtained correctly, this shows that the right session key was 
used with the client means, and since this means that the right password was entered, 
a user authentication result and its use license result will correspond. 

[0016] 

[Problem(s) to be Solved by the Invention] However, since cipher processing which 



needs great computational complexity with the above-mentioned conventional 
configuration was used abundantly and it was necessary to perform cipher processing 
at every use license processing by the client side especially, when client sides were a 
personal digital assistant and low equipment of computation capacity like a smart 
phone, it had the technical problem that it was difficult to perform use license 
processing by the practical processing time. 

[0017] Moreover, even if the code of the authentication ticket which did not restrict 
the use count of one authentication ticket, but was intercepted by the third person 
with the above-mentioned conventional configuration since it was only having 
prepared the expiration date should have been decoded and unjust access was 
performed, it also had the technical problem that possibility of finishing without being 
discovered was high. 

[0018] This invention does not solve such a conventional technical problem, does not 
need cipher processing in a client side, but even if it is low equipment of computation 
capacity, it can perform use license processing by the practical processing time, and 
it aims at offering the authentication approach of a single sign-on mold and 
authentication system which can manage the use count of an authentication ticket 
easily. 
[0019] 

[Means for Solving the Problem] A client means for this invention to hold the 
authentication ticket whose count of effective is n (n is a positive integer) to the 1 st, 
and for this to be shown, and to ask for use license in order to solve this technical 
problem, In response, presentation information is required and it prepares with the 
license server means which collates with said authentication ticket and carries out 
use license. Said authentication ticket An authentication child is given including a 
ticket identifier, collating information, the count of effective, the time of the date of 
issue, and a server identifier. Said collating information A predetermined irreversible 
operation is performed to the confidential information which the publisher and said 
client means of said authentication ticket share n times. Said presentation information 
in case the use count of said authentication ticket is k (k is a positive integer below 
n) is characterized by performing said predetermined irreversible operation to said 
confidential information n-k times. 

[0020] The authentication approach of a single sign-on mold and authentication 
system which cannot need cipher processing in a client side, but can manage the use 
count of an authentication ticket easily by this, and can eliminate duplex use are 
obtained. 

[0021] It is characterized by for said authentication server means generating a 
random number in a user authentication procedure, and showing this in the 2nd, 
requiring authentication presentation information of a client means, for said 
confidential information performing said predetermined irreversible operation to 
connection by said user authentication information and said random number once or 



more, and said authentication presentation information performing said predetermined 
irreversible operation to said confidential information n times. 
[0022] The authentication approach of a single sign-on mold and authentication 
system which can communalize data processing of authentication presentation 
information and data processing of presentation information by this in not needing 
cipher processing in a client side in a user authentication procedure in addition to the 
above-mentioned effectiveness are obtained. 

[0023] It is what said authentication server means generates a random number in a 
user authentication procedure to the 3rd, shows this to it, and requires authentication 
presentation information of a client means. Said authentication presentation 
information It is as a result of [ of what performed said predetermined irreversible 
operation to connection by said user authentication information and said random 
number once or more, and the random number for authentication which the client 
means generated ] EXCLUSIVE OR operation, and said confidential information is 
characterized by being said random number for authentication counted backward from 
said authentication presentation information. 

[0024] Since the collating information included in an authentication ticket becomes 
unrelated to user authentication information by this in addition to the above- 
mentioned effectiveness, the authentication approach of a safer single sign-on mold 
and authentication system which even possibility that user authentication information 
will be guessed does not have are obtained from an authentication ticket. 
[0025] It is characterized by on the other hand said predetermined irreversible 
operation being a tropism hash operation the 4th. 

[0026] Thereby, in addition to the above-mentioned effectiveness, even if a client 
side is low equipment of computation capacity, the authentication approach of a 
single sign-on mold and authentication system which can perform use license 
processing by the practical processing time are obtained. 

[0027] It is characterized by for said authentication ticket updating the collating 
information on said authentication ticket, the count of effective, the time of the date 
of issue, a publisher identifier, and an authentication child to the 5th, including a 
publisher identifier, while said license server means carries out use license, and for 
said collating information being what performed said predetermined irreversible 
operation n-k times at said confidential information, being updated, and updating said 
count of effective by n-k. 

[0028] Since it is updated in addition to the above-mentioned effectiveness by this 
whenever it uses an authentication ticket, especially a time stump is updated and the 
expiration date in an effective judging can be set up shorter, possibility of the 
unauthorized use by the third person can be made smaller, and the authentication 
approach of the single sign-on mold which can shorten the response time of use 
license further, and an authentication system are obtained. 
[0029] To the 6th, said .client means has managed the use count of said 



authentication ticket. It is what shows this and asks for use license with said 
authentication ticket. It has the authentication ticket management tool which 
manages the use count of two or more preparations and said authentication ticket for 
said license server means. Said authentication server means While publishing said 
authentication ticket, the shelf registration of said authentication ticket is directed to 
said authentication ticket management tool. Said license server means When the 
renewal of hysteresis of said authentication ticket is directed to said authentication 
ticket management tool in response to presentation of said authentication ticket and 
the notice of refusal is received from said authentication ticket management tool, it is 
characterized by not carrying out use license. 

[0030] Since this becomes possible to use an authentication ticket in common to two 
or more license servers in the system by which an authentication ticket is not 
updated in addition to the above-mentioned effectiveness, the authentication 
approach of a single sign-on mold and an authentication system with more high 
convenience are obtained. 

[0031] To the 7th, said client means has managed the use count of said 
authentication ticket. It is what shows this and asks for use license with said 
authentication ticket. Said license server means two or more preparations and said 
authentication server means Issue hysteresis is memorized while publishing said 
authentication ticket. Said license server means Memorize updating hysteresis, while 
updating said authentication ticket, and it refers for the hysteresis of said 
authentication ticket to said authentication server means which the publisher 
identifier of said authentication ticket shows in response to presentation of said 
authentication ticket, or said license server means. When the notice of refusal is 
received from said authentication server means or said license server means, it is 
characterized by not carrying out use license. 

[0032] Thereby, since the distributed management of the use of an authentication 
ticket can be carried out in the system by which an authentication ticket is updated 
in addition to the above-mentioned effectiveness, the authentication approach of a 
single sign-on mold and authentication system which can lessen one management 
resource more are obtained. 
[0033] 

[Embodiment of the Invention] Hereafter, it explains, referring to a drawing about the 
gestalt of operation of this invention. 

[0034] (Gestalt of the 1 st operation) The authentication system of the 1 st operation 
gestalt consists of the client means 1 with a user interface, an authentication server 
means 2 to perform user authentication, and a license server means 3 to judge the 
access permission of the client means 1 and to perform use license, as shown in 
drawing 1 . A general purpose computer, a Personal Digital Assistant, a smart phone, 
etc. can be used for the client means 1, and a general purpose computer, exclusive 
authentication server equipment, etc. can be used for the authentication server 



means 2, and a general purpose computer, exclusive license server equipment, 
exclusive information offer equipment, etc. can be used for the license server means 
3. 

[0035] A cable or a radio network connects between the client means 1 and the 
license server means 3. Although it does not necessarily connect between the client 
means 1 and the authentication server means 2 in a communication network, it is 
necessary to share confidential information 4. As this confidential information 4, a 
password, a common key system cryptographic key, or the calculated value computed 
from them is used, for example. 

[0036] The client means 1 holds the authentication ticket 5 used in a use license 
procedure. The authentication server means 2 publishes this to the client means 1, 
and the authentication server means 2 makes collating information the result of 
having performed the irreversible operation f to confidential information 4 n times (n 
being the count of effective of an authentication ticket), adds an authentication child 
to this, and generates the authentication ticket 5. An authentication child is added for 
the purpose of alteration prevention of an authentication ticket and a publishers 
certification, and can use a message authorization code, a digital signature, etc. 
[0037] In the use license procedure of the client means 1 and the license server 
means 3, the result to which the client means 1 performed the irreversible operation f 
to confidential information 4 the n-k time (k is a use count in the use license 
procedure of an authentication ticket) is used as presentation information 6. As long 
as the irreversible operation f has sufficiently safe irreversibility, the die length of a 
result, and random nature, since the third person who does not know confidential 
information 4 cannot calculate this presentation information 6, it is shown that it is 
the valid user which gets to know confidential information 4 using this presentation 
information 6. Moreover, since many counts of the irreversible operation f in 
presentation information are performed so that it went back in the past and the 
following presentation information is also incalculable from this presentation 
information 6, there is also no need for encryption. 

[0038] With the authentication ticket 7 holding this presentation information 6, a 
client means 1 will return the notice 8 of license, if the check of it being in agreement 
at the collating information which the authentication ticket 7 includes [ the result of 
having carried out the irreversible operation f to the presentation information 6 k 
times with verification of the authentication child whom the authentication ticket 7 
contains, as for the license server means 3 ] to delivery and this at the license server 
means 3 is carried out and it accepts that it is just. 

[0039] By this approach, the client means 1 can obtain use license to n times using 
the authentication ticket 7, without revealing confidential information 4 to a third 
person including the license server means 3. 

[0040] Thus, the authentication system of the gestalt of this operation possesses a 
client means to hold the authentication ticket whose count of effective is n (n is a 



positive integer), and for this to be shown, and to ask for use license, and the license 
server means which requires presentation information in response, collates with said 
authentication ticket, and carries out use license. 

[0041] At the time of a ticket identifier, the count of effective, and the date of issue, 
information other than collating information, such as a server identifier, can be 
included, and an authentication child is given to said authentication ticket at this. 
Collating information is the information which performed the predetermined 
irreversible operation to the confidential information which the publisher and client 
means of an authentication ticket share n times. Moreover, said presentation 
information is the information which performed the predetermined irreversible 
operation to said confidential information n-k times, when the use count of an 
authentication ticket is k (k is a positive integer below n). 

[0042] The authentication approach of a single sign-on mold and authentication 
system which cannot need cipher processing in a client side, but can manage the use 
count of an authentication ticket easily, and can eliminate duplex use by such 
configuration are obtained. 

[0043] (Gestalt of the 2nd operation) In the authentication system of the 2nd 
operation gestalt, a client means shows authentication presentation information to the 
authentication server means 22, and requires an authentication ticket. 
[0044] It consists of a license server means 3 for this authentication system to judge 
the access permission of the client means 11 which has a user interface as shown in 
drawing 2 , an authentication server means 12 to perform user authentication, and the 
client means 1 1 , and to perform use license, and the cable or the radio network 
connects between the client means 1 1, the authentication server means 12, and the 
license server means 3. This license server means 3 is the same as that of the 1st 
operation gestalt ( drawing 1 ), and the same as that of the 1 st operation gestalt 
( drawing 1 ) also about the authentication ticket returned to the client means 1 1 
from the authentication server means 1 2, the presentation information which the 
client means 1 1 transmits to the license server means 3 and a license ticket, and the 
notice 8 of license further returned to the client means 1 1 from the license server 
means 3. 

[0045] The client means 1 1 and the authentication server means 1 2 of this 
authentication system share the result of having performed the irreversible operation 
f to connection by the password PW entered through the user interface, and the 
random numbers R obtained from the authentication server means 12 once, as 
confidential information 1 4. As long as the irreversible operation f has sufficiently safe 
irreversibility, the die length of a result, and random nature, the third person who does 
not know Password PW cannot calculate this confidential information 14. 
[0046] In the user authentication procedure of the client means 1 1 and the 
authentication server means 12, the authentication server means 12 generates a 
random number, this is shown, and authentication presentation information is required 



of the client means 11. The client means 11 computes confidential information 14 by 
performing the irreversible operation f to connection by Password PW and the random 
numbers R obtained from the authentication server means 12 once, and sends it to 
the authentication server means 12 by making into the authentication presentation 
information 1 3 the result of having performed the irreversible operation f to this 
confidential information 14 further n times (n+1 total and n being the count of 
effective of an authentication ticket). 

[0047] On the other hand, a check of that the confidential information 1 4 of the 
authentication server means 12 corresponds from the authentication presentation 
information 1 3 returns the authentication ticket 5 which added the authentication 
child to this by making into collating information the result of having performed the 
irreversible operation f to confidential information 14 n times. The client means 11 is 
held in order to use this in a use license procedure. An authentication child is added 
for the purpose of alteration prevention of an authentication ticket and a publishers 
certification, and can use a message authorization code, a digital signature, etc. 
[0048] Moreover, in the use license procedure of the client means 11 and the license 
server means 3, the result to which the client means 1 1 performed the irreversible 
operation f to confidential information 14 the n-k time (k is a use count in the use 
license procedure of an authentication ticket) is used as presentation information 6. 
As long as the irreversible operation f has sufficiently safe irreversibility, the die 
length of a result, and random nature, since the third person who does not know 
confidential information 14 cannot calculate this presentation information 6, it is 
shown that it is the valid user which gets to know confidential information 14 using 
this presentation information 6. Moreover, since many counts of the irreversible 
operation f in presentation information are performed so that it went back in the past 
and the following presentation information is also incalculable from this presentation 
information 6, there is also no need for encryption. 

[0049] The check of it being in agreement with the license server means 3 with the 
authentication ticket 7 holding this presentation information 6 at the collating 
information which the authentication ticket 7 includes [ the result of having carried 
out the irreversible operation f to the presentation information 6 k times with 
verification of the authentication child whom the authentication ticket 7 contains, as 
for the license server means 3 ] to delivery and this carries out, and a client means 
1 1 will return the notice 8 of license, if it accepts that it is just. 

[0050] By this approach, the client means 1 1 can obtain use license to n times using 
the authentication ticket 7, without revealing confidential information 14 and 
Password PW to a third person including the license server means 3. 
[0051] Thus, in the authentication system of the gestalt of this operation, an 
authentication server means generates a random number in a user authentication 
procedure, shows this, and requires authentication presentation information of a client 
means. What performed the predetermined irreversible operation to connection by 



user authentication information and random numbers once or more as confidential 
information at this time is used, and what performed the predetermined irreversible 
operation to this confidential information n times as authentication presentation 
information is shown. 

[0052] By such configuration, the authentication approach of a single sign-on mold 
and authentication system which in addition to the effectiveness of the 1 st operation 
gestalt cipher processing in a client side is unnecessary, and can communalize data 
processing of authentication presentation information and data processing of 
presentation information also in a user authentication procedure are obtained. 
[0053] (Gestalt of the 3rd operation) As shown in drawing 3 , the random number for 
authentication generated by the client means 21 is shared between the client means 
21 and the authentication server means 22 as confidential information 24 by the 
authentication system of the 3rd operation gestalt. 

[0054] In this system, in a user authentication procedure, the authentication server 
means 22 generates a random number, this is shown, and authentication presentation 
information is required of the client means 21. The client means 21 is sent to the 
authentication server means 22 by making into the authentication presentation 
information 23 the exclusive-OR result of the result of having performed the 
irreversible operation f to connection by Password PW and the random numbers R 
obtained from the authentication server means 22 once, and the confidential 
information 24 which the client means 21 generated in secrecy. In drawing 3 , the 
notation "@" shows the exclusive-OR (EXOR) operation. 

[0055] On the other hand, the authentication server means 22 is counted backward 
from the authentication presentation information 23, Password PW, and a random 
number R, and asks for confidential information 25. And the irreversible operation f is 
performed to this confidential information 25 n times, that result of an operation is 
made into collating information, and the authentication ticket 5 which added the 
authentication child to this is returned to the client means 21. The client means 21 is 
held in order to use this in a use license procedure. 

[0056] In addition, if the authentication presentation information 23 was suitably made 
from the third person with an inaccurate user, even if the authentication ticket 5 can 
come to hand with the client means 21, the client means 21 does not understand the 
confidential information 25 which the server counted backward using Password PW 
and the random number R from the authentication presentation information 23. 
Therefore, the unjust access can be eliminated in a consecutive use license 
procedure. 

[0057] In the use license procedure of the client means 21 and the license server 
means 3, the result to which the client means 21 performed the irreversible operation 
f to confidential information 24 the n-k time (k is a use count in the use license 
procedure of an authentication ticket) is used as presentation information 6. As long 
as the irreversible operation f has sufficiently safe irreversibility, the die length of a 



result, and random nature, since the third person who does not know confidential 
information 24 cannot calculate this presentation information 6, it is shown that it is 
the valid user which gets to know confidential information 24 using this presentation 
information 6. Moreover, since many counts of the irreversible operation f in 
presentation information are performed so that it went back in the past and the 
following presentation information is also incalculable from this presentation 
information 6, there is also no need for encryption. 

[0058] The check of it being in agreement with the license server means 3 with the 
authentication ticket 7 holding this presentation information 6 at the collating 
information which the authentication ticket 7 includes [ the result of having carried 
out the irreversible operation f to the presentation information 6 k times with 
verification of the authentication child whom the authentication ticket 7 contains, as 
for the license server means 3 ] to delivery and this carries out, and a client means 
21 will return the notice 8 of license, if it accepts that it is just. 

[0059] By this approach, the client means 21 can obtain use license to n times using 
the authentication ticket 7, without revealing confidential information 24 and 
Password PW to a third person including the license server means 3. 
[0060] Thus, in the authentication system of the gestalt of this operation, an 
authentication server means generates a random number in a user authentication 
procedure, shows this, and requires authentication presentation information of a client 
means. Authentication presentation information is as a result of [ of what performed 
the predetermined irreversible operation to connection by user authentication 
information and said random numbers once or more, and the random number for 
authentication (confidential information) which the client means generated ] 
EXCLUSIVE OR operation, and this confidential information is counted backward from 
authentication presentation information by the authentication server means. 
[0061] By such configuration, the collating information which an authentication ticket 
includes becomes unrelated to user authentication information. Therefore, the safe 
authentication approach of a single sign-on mold and a safe authentication system 
are obtained rather than even possibility that user authentication information will be 
guessed from an authentication ticket cannot be found. 

[0062] (Gestalt of the 4th operation) The 4th operation gestalt explains the block 
configuration of each means to perform the concrete communication procedure and 
concrete it in the authentication system of the 2nd operation gestalt. 
[0063] Drawing 4 is the protocol sequence diagram showing the protocol in this 
system. In drawing 4 , a client means by which 31 has a user interface, an 
authentication server means by which 32 performs user authentication, and a license 
server means for 33 to judge an access permission and to perform use license are 
shown, and the notation "S (K|-)" shows the authentication child attachment function 
which used Key K. 

[0064] In the user authentication procedure of the client means 31 and the 



authentication server means 32, the client means 31 first sends authentication 
demand Authenticate Request301 accompanied by the user-identification child UID 
and the server identifier SID which were inputted through the user interface to the 
authentication server means 32. At this time, authentication demand Authenticate 
Request301 is good also as a thing accompanied by the count n of effective of an 
authentication ticket. When that is not right, an authentication server shall just 
appoint the count n of effective fixed. 

[0065] On the other hand, the authentication server means 32 returns the 
authentication challenge Challenge302 accompanied by the random number R0 
generated so that it might differ each time. The client means 31 which received this 
returns the authentication challenge response Response303 accompanied by the 
result of having performed n+1 step of hash operation H to connection by Password 
PW and the random number R0 which were inputted through the user interface. On 
the other hand, if the authentication server means 32 carries out comparison 
verification of the n+1 -step hash result of an operation in the challenge response 
Response303, and the n+1 -step hash result of an operation performed itself and is in 
agreement, it will admit being just. The authentication ticket Ticket304 with which the 
authentication child was added with the publisher identifier IID which shows ticket 
identifier TID and the n+1 -step hash result of an operation, time stump TS 0 and 
server identifier SID, and authentication server 32 self is returned. [ which were newly 
generated ] The client means 31 is held in order to use this in a use license 
procedure. 

[0066] Moreover, in the use license procedure of the client means 31 and the license 
server means 33, the client means 31 sends the license demand Authorize Request 
and the authentication ticket Ticket305 to the license server means 33. At this time, 
the license demand Authorize Request is good also as a thing accompanied by the 
user-identification child UID. On the other hand, the license server means 33 returns 
the license challenge Challenge306 accompanied by the value k based on the use 
count of this authentication ticket. The client means 31 which received this returns 
the license challenge response Response307 accompanied by the result of having 
performed the hash operation H of +one step of n-k to connection by Password PW 
and random numbers R0. 

[0067] As long as it, on the other hand, has tropism, the die length of a result, and 
random nature, since the third person this hash operation H of whose is insurance 
enough and who does not know Password PW and a random number R0 cannot 
calculate this hash result of an operation, it is shown that it is the valid user which 
gets to know Password PW by this hash result of an operation. Moreover, since many 
number of stageses of the hash operation H are performed so that it went back in the 
past and the following hash result of an operation is also incalculable from this hash 
result of an operation, there is also no need for encryption. As such a hash operation 
[ like ] H, algorithms, such as MD5 and SHA, can be used, for example. 



[0068] On the other hand, the license server means 32 carries out comparison 
verification of the result of having performed k more steps of hash operations to the 
+1 step of n-k hash result of an operation in the license challenge response 
Response307, and the n+1-step hash result of an operation in the authentication 
ticket Ticket, if in agreement, will admit being just and will return the notice Result308 
of license. At this time, the notice 308 of license is good also as a thing accompanying 
coincidence for the information Info to which access was permitted by use license. 
[0069] By the above protocol sequences, the client means 31 can obtain use license 
to n times using the authentication ticket 304, without revealing Password PW to a 
third person including the license server means 33. 

[0070] It explains referring to the functional block diagram of drawing 5 about the 
configuration with such a protocol sequence of an authentication system. 
[0071] In drawing 5 , they are a client means by which 31 has a user interface, an 
authentication server means by which 32 performs user authentication, and a license 
server means for 33 to judge an access permission and to perform use license. 
[0072] 1st transceiver means 31 1 by which the client means 31 transmits and 
receives data, An input means 312 to obtain the input from a user, and a hash means 
313 to connect two inputs and to perform the hash operation H, A ticket maintenance 
means 314 to hold the received authentication ticket, and a processing selection 
means 315 to choose processing according to the maintenance condition of an 
authentication ticket, It has a multistage hash means 317 to perform the hash 
operation of a secret storage means 316 to memorize the hash result of an operation 
in secrecy, and the given number of stages or the number of stages of the difference 
of two given numeric values. 

[0073] The 1st transceiver means 31 1 is good also as a configuration which consists . 
of infrared interface devices, such as wireless interface devices, such as telephone 
interface devices, such as ISDN interface devices, such as LAN interface devices, 
such as a LAN card, and a terminal adopter, and a modem, a pocket data 
communication card, and a PIAFS card, and an IrDA module, etc., corresponding to 
the class of communication network, and uses these some properly according to a 
communications partner. The input means 312 consists of combination of pointing 
devices and selection carbon buttons, such as alphabetic character input devices, 
such as a keyboard and a ten key, a mouse, a trackball, and a pen tablet, or a dial and 
a display screen, or a touch panel. The hash means 313 is constituted combining a 
logical circuit and the arithmetic circuit incorporating the algorithm of the hash 
operation H. As for the ticket maintenance means 314, a memory circuit is used. A 
logical circuit can be used for the processing selection means 315. The secret 
storage means 316 is constituted by the memory device with Tampa-proof nature like 
an IC card. The multistage hash means 317 adds the arithmetic circuit which 
searches for the difference of the counter which counts the connection which feeds 
back an output to the arithmetic circuit incorporating the algorithm of for example, 



the hash operation H, and a number of stages, or a numeric value, and is constituted. 
In addition, each above-mentioned means may be realized using the computer 
program on a microcomputer or a general purpose computer. Or the computer 
program may be recorded on a program documentation medium in the format in which 
read is possible, and the configuration combined with the program documentation 
medium reader may realize. 

[0074] Moreover, 2nd transceiver means 321 by which the authentication server 
means 32 transmits and receives data, the authentication which clocks current time - 
- a time check — with a means 322 and an authentication information storage means 
323 to accumulate user authentication information, such as a password it gives with a 
random-number generation means 324 to generate a random number for every user 
authentication processing — having — reliance — 1 — with the 2nd multistage hash 
means 325 which performs the hash operation H of many number of stageses It has 
the authentication collating means 326 which carries out comparison collating of the 
two multistage hash values, a ticket identifier generation means 327 to generate a 
unique ticket identifier for every authentication ticket issue, and an authentication 
child addition means 328 to generate and add the authentication child to an 
authentication ticket. 

[0075] The 2nd transceiver means 321 consists of infrared interface devices, such as 
wireless interface devices, such as telephone interface devices, such as ISDN 
interface devices, such as LAN interface devices, such as a LAN card, and a terminal 
adopter, and a modem, a pocket data communication card, and a PIAFS card, and an 
IrDA module, etc., corresponding to the class of communication network, 
authentication — a time check — as for a means 322, a timer counter is used. If the 
authentication information storage means 323 is the memory device which consisted 
of mass memory devices and had the Tampa-proof nature, in addition, it is good. The 
random-number generation means 324 consists of an arithmetic circuit incorporating 
for example, a random-number generation algorithm, or an inverter which data-izes an 
electromagnetic noise. The 2nd multistage hash means 325 adds the counter which 
counts the connection which feeds back an output to the arithmetic circuit 
incorporating the algorithm of for example, the hash operation H, and a number of 
stages, and is constituted. The authentication collating means 326 consists of 
comparator circuits. The ticket identifier generation means 327 consists of counter 
circuits which had sufficient bit length, for example. The authentication child addition 
means 328 consists of the arithmetic circuits and memory circuits incorporating an 
authentication child generation algorithm. In addition, each above-mentioned means 
may be realized using the computer program on a microcomputer or a general purpose 
computer. Or the computer program may be recorded on a program documentation 
medium in the format in which read is possible, and the configuration combined with 
the program documentation medium reader may realize. 

[0076] Moreover, 3rd transceiver means 331 by which the license server means 33 



transmits and receives data, the license which clocks current time — a time check — 
with a means 332 and an authentication child verification means 333 to verify the 
authentication child added to the authentication ticket A ticket effective judging 
means 334 to perform the effectiveness judging of an authentication ticket, It has the 
ticket use management tool 335 which remains with the ticket identifier of an 
authentication ticket, and the count of effective, and manages the count of available, 
the 3rd multistage hash means 336 which performs the hash operation H of the given 
number of stages, and the license collating means 337 which carries out comparison 
collating of the two multistage hash values. 

[0077] The 3rd transceiver means 331 consists of infrared interface devices, such as 
wireless interface devices, such as telephone interface devices, such as ISDN 
interface devices, such as LAN interface devices, such as a LAN card, and a terminal 
adopter, and a modem, a pocket data communication card, and a PIAFS card, and an 
IrDA module, etc., corresponding to the class of communication network, license — a 
time check — as for a means 332, a timer counter is used. The authentication child 
verification means 333 consists of the arithmetic circuits and memory circuits 
incorporating an authentication child verification algorithm. The ticket effective 
judging means 334 is constituted by the combination of a comparator circuit. The 
ticket use management tool 335 is constituted by the combination of the arithmetic 
circuit which calculates the count of use, and a mass memory device. The 3rd 
multistage hash means 336 is a change thing, and the preset value of a counter 
consists of the same arithmetic circuits as the 2nd multistage hash means 325. The 
license collating means 337 consists of comparator circuits. In addition, each above- 
mentioned means may be realized using the computer program on a microcomputer or 
a general purpose computer. Or the computer program may be recorded on a program 
documentation medium in the format in which read is possible, and the configuration 
combined with the program documentation medium reader may realize. 
[0078] It explains in the authentication approach and authentication system which 
were constituted as mentioned above, referring to drawing 6 about the actuation 
below. Here, the case where authentication demand Authenticate Request301 is 
accompanied by the count n of authentication ticket effective is explained. 
[0079] First, in the client means 31, the password PW for user authentication 
beforehand registered into the authentication server means 32 with the user- 
identification child UID who shows the user itself, the server identifier SID of the 
object which obtains use license, and the count n of effective of an authentication 
ticket are inputted into the input means 312 as a user input 300 (ST3101, ST3104). 
The input means 312 takes out the server identifier 3101, and sends it to the ticket 
maintenance means 314 while it holds a user input 300 temporarily. The ticket 
maintenance means 314 searches the authentication ticket data corresponding to the 
server identifier 3101 (ST3102), and sends the notice 3102 of a retrieval result to the 
processing selection means 315. The processing selection means 315 sends the 



notice 3104 of (ST3103) use license procedure starting to said ticket maintenance 
means 314, the secret storage means 316, and the multistage hash means 317, when 
the notice 3102 of a retrieval result shows non-**, and delivery and owner ** are 
shown for the notice 3103 of user authentication processing starting in said input 
means 312 and the multistage hash means 317. 

[0080] Through the 1st transceiver means 311, as authentication demand 
Authenticate Request301, delivery (ST3105) and the count 3106 of effective will be 
sent to the multistage hash means 317, and said input means 312 will send delivery 
and a password 3107 for the group 3105 of the user-identification child and server 
identifier which were taken out from the user input 300 held temporarily, and the 
count of effective to the hash means 313 at the authentication server means 32, if 
the notice 3103 of user authentication starting is given. 

[0081] In the authentication server means 32, the user-identification child 3201 from 
whom authentication demand Authenticate Request301 was received and taken out 
with the 2nd transceiver means 321 is seen off in the authentication information 
storage means 323, the count 3202 of effective is sent to the 2nd multistage hash 
means 325 and the authentication child addition means 328, and the server identifier 
3203 is sent to the authentication child addition means 328 (ST3201). The 
authentication information storage means 323 searches the password corresponding 
to the user-identification child 3201 (ST3202), and when it is, (ST3203) and a 
password 3204 are sent to the 2nd multistage hash means 325, and it sends delivery 
and the notice 3205 of a retrieval result to the random-number generation means 324 
and the 2nd multistage hash means 325. 

[0082] The random-number generation means 324 is sent to the client means 31 as 
authentication challenge Challenge302 through the 2nd transceiver means 321 while it 
newly generates the challenge random number 3206 for data disturbance at random 
and sends it to the 2nd multistage hash means 325, when the notice 3205 of a 
retrieval result shows owner ** (ST3204). the case where, as for the 2nd multistage 
hash means 325, the notice 3205 of a retrieval result shows owner ** — connection 
by the password 3204 and the challenge random numbers 3206 — receiving — the 
count 3202 of effective — 1 — the hash operation H of many number of stageses is 
performed, and the multistage hash value 3207 of a result is sent to the 
authentication collating means 326 (ST3205). 

[0083] On the other hand, in the client means 31, it is received by the 1st transceiver 
means 31 1, the challenge random number 3108 is taken out, and the authentication 
challenge Challenge302 is sent to the hash means 313 (ST3106). The hash means 313 
performs the hash operation H to connection by the password 3107 and the challenge 
random numbers 3108 (ST3107), and sends the hash value 3109 of a result to the 
secret storage means 316 and the multistage hash means 317. The secret storage 
means 316 memorizes a hash value 3109 in secrecy, and permits only predetermined 
access, i.e., the renewal of an addition in a user authentication procedure and the 



reference in a use license procedure, (ST3108). When the notice 3103 of user 
authentication procedure starting is given, the multistage hash means 317 performs 
the hash operation H of the number of stages equivalent to the count 3106 of 
effective to a hash value 3109 (ST3109), and sends the multistage hash value 31 14 of 
a result to the authentication server means 32 as authentication challenge response 
Response303 through the 1st transceiver means 31 1 (ST31 10). 

[0084] On the other hand, in the authentication server means 32, it is received by the 
2nd transceiver means 321, the multistage hash value 3208 is taken out, and the 
authentication challenge response Response303 is sent to the authentication collating 
means 326 (ST3206). The authentication collating means 326 is sent to the 
authentication child addition means 328 as it is by making the multistage hash value 
3208 into the multistage hash value 3210 while it performs the coincidence judging 
with the multistage hash value 3207 and the multistage hash value 3208 (ST3207) and 
sends the collating result 3209 to the ticket identifier generation means 327. When 
the collating result 327 shows coincidence, the ticket identifier generation means 327 
generates the effective ticket identifier 3212, and sends it to the authentication child 
addition means 328 (ST3208). 

[0085] authentication — a time check — the means 322 has clocked current time 
and supplies the time stump 321 1 based on current time to the authentication child 
addition means 328. The authentication child addition means 328 connects the 
publisher identifier which shows ticket identifier 3212, multistage hash value 3210, 
count [ of effective ] 3202, time stump 321 1, server identifier 3203, and 
authentication server 32 self, generates and adds an authentication child to this, uses 
him as the authentication ticket data 3213 (ST3209), and is sent to the client means 
31 as an authentication ticket Ticket304 through the 2nd transceiver means 321 
(ST3210). 

[0086] On the other hand, in the client means 31, it is received by the 1st transceiver 
means 31 1, the authentication ticket data 31 10 are taken out, and the authentication 
ticket Ticket304 is sent to said ticket maintenance means 314 (ST31 1 1). the case 
where matched said ticket maintenance means 314 with the server identifier 3101, it 
held the authentication ticket data 31 10 (ST31 12), and the notice 3104 of use license 
procedure starting is given — the authentication ticket data 31 1 1 — the 1st 
transceiver means 311 — minding — as the authentication ticket Ticket305 — the 
license demand Authorize Request — the license server means 33 — sending 
(ST31 13) — the count 31 12 of effective is taken out from authentication ticket data, 
and it sends to the multistage hash means 317. 

[0087] On the other hand, in the license server means 33, it is received by the 3rd 
transceiver means 331, the authentication ticket data 3301 are taken out, and the 
license demand Authorize Request accompanied by the authentication ticket 
Ticket305 is sent to the authentication child verification means 333 (ST3301). The 
authentication child verification means 333 takes out a time stump 3302 and the 



server identifier 3303 from data division, takes out the ticket identifier 3305, the 
multistage hash value 3306, the count 3307 of effective, and the publisher identifier 
3308 for the ticket effective judging means 334, and sends them to it at the ticket 
use management tool 335, respectively while it verifies adjustment with data divisions 
other than the authentication child of the authentication ticket data 3301, and an 
authentication child and sends the verification result 3304 to the ticket effective 
judging means 334 (ST3304). 

[0088] license — a time check — the means 332 has clocked current time and 
supplies the time stump 3309 based on current time to the ticket effective judging 
means 334. The ticket effective judging means 334 confirms that the difference of a 
time stump 3302 and the time stump 3309 based on current time is within the limits 
of a predetermined expiration date (ST3306, ST3307), and when all are truth, it sends 
the ticket effective notice 3310 to the ticket use management tool 335, while it 
performs the coincidence judging with (ST3305), the server identifier 3303, and the 
self^server identifier held inside (ST3302, ST3303), when the verification result 3304 
shows those without an error. If this expiration date is set up short, although security 
will improve, if user convenience falls and is set up for a long time, user convenience 
will improve, but since security falls, it should take into consideration and define these 
balance. For example, what is necessary is just to carry out in 12 hours in 8 hours 
which can cover the office hours on the 1st, if it applies to the business-use system 
by which severe security is not demanded, however — the shortest — the 
communication link time amount between a client - a server — and — each — a time 
check — it can be necessary to cover the time-of-day error between means 
[0089] When the ticket use management tool 335 has managed the ticket list at this 
time and the ticket effective notice 3310 is given, it investigates whether the ticket 
identifier 3305 is used, under a ticket list is searched, and it is already registered 
(ST3308). If there is nothing corresponding, the group of the count 3307 of effective 
as a value which remains with the ticket identifier 3305 and the count 3307 of 
effective, and shows the count of available will be added to a ticket list, and will be 
memorized (ST3309, ST3310). At this time, you may memorize in accordance with the 
multistage hash value 3306 and the publisher identifier 3308. It receives constructing, 
the case where there is this added group or a thing which corresponds by retrieval — 
this ** — The ticket use management tool 335 remains and it asks for the count 
331 1 of use with which reduce one, remain with the count of effective, and a 
difference with the count of available indicates the count of available to be (ST331 1). 
While sending this to the client means 31 as license challenge Challenge306 through 
the 3rd transceiver means 331 (ST3312), it sends also to the 3rd multistage hash 
means 336. Moreover, it sends to the license collating means 337 as it is by making 
the multistage hash value 3306 into the multistage hash value 3312. 
[0090] On the other hand, in the client means 31, it is received by the 1st transceiver 
means 31 1, the count 31 15 of use is taken out, and the license challenge 



Challenge306 is sent to the multistage hash means 317 (ST31 14). When the notice 
3104 of use license procedure starting is given, the multistage hash means 317 A 
hash value 31 13 is obtained from said secret storage means 316 (ST31 15). The hash 
operation H of the number of stages equivalent to the difference of the count 31 12 of 
effective and the count 31 15 of use is performed to a hash value 3113 (ST31 16). The 
multistage hash value 31 16 of a result is sent to the license server means 33 as 
license challenge response Response307 through the 1st transceiver means 31 1 
(ST3117). 

[0091] As long as it, on the other hand, has tropism, the die length of a result, and 
random nature, since the third person whose hash operation H is insurance enough 
and who does not know Password PW and a random number R0 cannot calculate this 
multistage hash value 31 16, it is shown that it is the valid user which gets to know 
Password PW by this multistage hash value 31 16. Moreover, since many number of 
stageses of the hash operation H in a multistage hash value are performed so that it 
went back in the past and the following multistage hash value is also incalculable from 
this multistage hash value 3116, there is also no need for encryption. In addition, 
generally a hash operation is made more nearly high-speed 100 or more times than a 
code operation, and if it is a suitable number of stages, it can process at a high speed 
rather than the case where a code is used. 

[0092] On the other hand, in the license server means 33, it is received by the 3rd 
receiving means 331, the multistage hash value 3313 is taken out, and the license 
challenge response Response307 is sent to the 3rd multistage hash means 336 
(ST3313). The 3rd multistage hash means 336 performs the hash operation H of the 
number of stages equivalent to the count 331 1 of use to the multistage hash value 
3313, and sends the secondary multistage hash value 3314 of a result to the license 
collating means 337 (ST3314). The license collating means 337 performs the 
coincidence judging with the multistage hash value 3312 and the secondary multistage 
hash value 3314 (ST3315, ST3316), and if it is truth, the client means 31 will receive 
the notice 3315 of license in delivery (ST3317) and the client means 31 through the 
3rd transceiver means 331 as notice Result308 of license (ST31 18). By this approach, 
the client means 31 can obtain use license to n times using the authentication ticket 
305, without revealing Password PW to a third person including the license server 
means 33. 

[0093] In addition, although considered as the configuration which calculates a 
multistage hash value in the client means 31 at every use license procedure in the 
above explanation, it is good also as a configuration which carries out precomputation 
of the multistage hash value of all number of stageses at the time of acquisition of an 
authentication ticket, and is memorized for the secret storage means 316. In that 
case, the processing time for every use license procedure of what needs to use the 
mass Tampa-proof nature memory device as a secret storage means 316 can be 
shortened more. 



[0094] Next, in the authentication system of the 4th operation gestalt shown in 
drawing 5 , the detailed example of a configuration and actuation of the authentication 
child addition means 328 at the time of using a message authorization code as an 
authentication child and the authentication child verification means 333 are explained 
with reference to drawing 7 and drawing 8 . 

[0095] SelfHdentifier storage means 328A the identifier the authentication child 
addition means 328 indicates the authentication server itself to be as shown in 
drawing 7 was remembered to be, Data connection means 328B which connects data, 
and connection data hash means 328C which performs the hash operation h, 
Authentication child connection means 328F by which the authentication server 
means 31 and the license server means 32 connect an authentication child with 
server common key storage means 328D which memorizes the common server 
common key which it has as secret, and common key system cryptographer stage 
328E which performs cipher processing of a common key system at data are provided. 
[0096] This self-identifier storage means 328A consists of memory. Data connection 
means 328B can consist of logical circuits. Connection data hash means 328C 
consists of arithmetic circuits incorporating the algorithm of for example, the hash 
operation h. Even if the hash operation h is the same as the hash operation H, they 
may differ here. If server common key storage means 328D is the memory device 
which consisted of memory and had the Tampa-proof nature, in addition, it is good. 
Common key system cryptographer stage 328E consists of the arithmetic circuits or 
cipher-processing special purpose processors incorporating cryptographic algorithm. 
As cryptographic algorithm, DES, Triple DES, etc. can be used here, for example. 
Authentication child connection means 328F consist of logical circuits. 
[0097] Moreover, authentication child separation means 333A into which the 
authentication child verification means 333 separates an authentication child from 
data as shown in drawing 8 , 2nd connection data hash means 333B which performs 
the hash operation h, 2nd server common key storage means 333C which memorizes 
the server common key with common authentication server means 31 and license 
server means 32 which it has as secret, It provides with 2nd common key system 
cryptographer stage 333D which performs cipher processing of a common key system, 
data separation means 333E which carries out division separation of the data division, 
publisher identifier collating means 333F which collate a publisher identifier, and 
comparison means 333G which carry out comparison verification of the message 
authorization code. 

[0098] This authentication child separation means 333A consists of logical circuits. 
2nd connection data hash means 333B, 2nd server common key storage means 333C, 
and 2nd common key system cryptographer stage 333D are constituted like 328C, 
328D, and 328E in drawing 7 , respectively. Data separation means 333E consists of 
logical circuits. Publisher identifier collating means 333F consist of a memory circuit 
and a comparator circuit. Comparison means 333G are constituted by the 



combination of a comparator circuit. In addition, each above-mentioned means may be 
realized using the computer program on a microcomputer or a general purpose 
computer. Or the computer program may be recorded on a program documentation 
medium in the format in which read is possible, and the configuration combined with 
the program documentation medium reader may realize. 

[0099] Actuation of the authentication child addition means 328 constituted as 
mentioned above and the authentication child verification means 333 is explained. 
With the authentication child addition means 328, the identifier which shows the 
authentication server itself is first supplied to data connection means 328B as 
publisher identifier 328a from self-identifier storage means 328A. The count 3202 of 
effective and the server identifier 3203 which obtained data connection means 328B 
from the 2nd transceiver means 321, the multistage hash value 3210 obtained from 
the authentication collating means 326, and authentication — a time check — with 
the time stump 321 1 obtained from the means 322 It arranges and connects in the 
sequence that the ticket identifier 3212 obtained from the ticket identifier generation 
means 327 and publisher identifier 328a obtained from selfHdentifier storage means 
328A were able to be defined, and sends to connection data hash means 328C and 
authentication child connection means 328F as data-division 328b. 
[0100] Connection data hash means 328C performs the hash operation h to data- 
division 328b, and sends hash value 328c of a result to common key system 
cryptographer stage 328E. Common key system cryptographer stage 328E obtains 
328d of server common keys from server common key storage means 328D, uses this 
for a cryptographic key, enciphers hash value 328c, and sends it to authentication 
child connection means 328F as message authorization code 328e. Authentication 
child connection means 328F connect message authorization code 328e with data- 
division 328b, and output the authentication ticket data 3213. 
[0101] Moreover, with the authentication child verification means 333, first, the 
authentication ticket data 3301 are inputted into authentication child separation 
means 333A, and it separates into message authorization code 333a and data-division 
333b, and message authorization code 333a is sent to comparison means 333G, and 
data-division 333b is sent to 2nd connection data hash means 333B and data 
separation means 333E, respectively. 2nd connection data hash means 333B performs 
the hash operation h to data-division 333b, and sends hash value 333c of a result to 
2nd common key system cryptographer stage 333D. 2nd common key system 
cryptographer stage 333D obtains 333d of server common keys from 2nd server 
common key storage means 333C, uses this for a cryptographic key, enciphers hash 
value 333c, and sends it to comparison means 333G as message authorization code 
333for comparison e. Data separation means 333E sends also to publisher identifier 
collating means 333F about the publisher identifier 3308 while separating and 
outputting data-division 333b to a time stump 3302, the server identifier 3303, the 
ticket identifier 3305, the multistage hash value 3306, the count 3307 of effective, and 



the publisher identifier 3308. The publisher identifier 3308 collates whether it is the 
identifier of an authentication server 32, and publisher identifier collating means 333F 
send 333f of collating results to comparison means 333G. Comparison means 333G 
output the verification result 3304 based on whether 333f of collating results shows 
coincidence, or message authorization code 333a and message authorization code 
333e for a comparison are in agreement. Each that the verification result 3304 shows 
those without an error is the case of being in agreement. 

[0102] Next, in the authentication system of the 4th operation gestalt of drawing 5 , 
the configuration and actuation of the authentication child addition means 328 at the 
time of using a digital signature as an authentication child and the authentication child 
verification means 333 are explained with reference to drawing 9 and drawing 10 . 
differing from drawing 7 in drawing 9 memorizes the public key system code private 
key of authentication server 32 self instead of server common key storage means 

328D and common key system cryptographer stage 328E — self it is in the point 

of having prepared public key system cryptographer stage 328H which perform cipher 

processing of private key storage means 328G and a public key system, self if it is 

the memory device which could use memory, for example and had the Tampa-proof 
nature as private key storage means 328G, in addition, it is good. As public key 
system cryptographer stage 328H, the arithmetic circuit or cipher-processing special 
purpose processor which incorporated cryptographic algorithm, for example can be 
used. As cryptographic algorithm, RSA, an elliptic curve cryptosystem, etc. can be 
used here, for example. 

[0103] Moreover, differing from drawing 8 in drawing 10 prepares public key system 
decode means 333J which perform decode processing of server public key are 
recording means 333H which match the public key of the authentication server means 
31 with a server identifier, and accumulate it one or more instead of 2nd server 
common key storage means 333C, 2nd common key system cryptographer stage 
333D, and publisher identifier collating means 333F, and a public key system code, and 
it is in the point of having changed the connection between these. Server public key 
are recording means 333H are good also as what accumulates not only the 
authentication server means 32 but the public key of the license server means 33. As 
server public key are recording means 333H, a memory circuit can be used, for 
example, and if it is a mass memory device, in addition, it is good. As public key 
system decode means 333J, the arithmetic circuit or cipher-processing special 
purpose processor which incorporated the decode algorithm, for example can be used. 
It cannot be overemphasized that the decode algorithm corresponding to the 
cryptographic algorithm in public key system cryptographer stage 328H is used as a 
decode algorithm here. In addition, each above-mentioned means may be realized 
using the computer program on a microcomputer or a general purpose computer. Or 
the computer program may be recorded on a program documentation medium in the 
format in which read is possible, and the configuration combined with the program 



documentation medium reader may realize. 

[0104] Actuation of the authentication child addition means 328 constituted as 
mentioned above and the authentication child verification means 333 is explained. 
With the authentication child addition means 328, actuation of selfHdentifier storage 
means 328A, data connection means 328B, and connection data hash means 328C is 
the same as that of the case of drawing 7 , data-division 328b is supplied to 
authentication child connection means 328F, and hash value 328c is supplied to public 
key system cryptographer stage 328H, respectively, public key system cryptographer 

stage 328H — self 328f of self-private keys is obtained from private key storage 

means 328G, this is used for a cryptographic key, hash value 328c is enciphered, and 
it sends to authentication child connection means 328F as 328g of digital signatures. 
Authentication child connection means 328F connect 328g of digital signatures with 
data-division 328b, and output the authentication ticket data 3213. 
[0105] Moreover, with the authentication child verification means 333, first, the 
authentication ticket data 3301 are inputted into authentication child separation 
means 333A, and it separates into 333g of digital signatures, and data-division 333b, 
and 333g of digital signatures is sent to public key system decode means 333J, and 
data-division 333b is sent to 2nd connection data hash means 333B and data 
separation means 333E, respectively. 2nd connection data hash means 333B performs 
the hash operation h to data-division 333b, and sends the hash value of 333h of a 
result to comparison means 333G. Data separation means 333E sends also to server 
public key are recording means 333H about the publisher identifier 3308 while 
separating and outputting data-division 333b to a time stump 3302, the server 
identifier 3303, the ticket identifier 3305, the multistage hash value 3306, the count 

3307 of effective, and the publisher identifier 3308. Server public key are recording 
means 333H send server public key 333j corresponding to the publisher identifier 

3308 to public key system decode means 333J while the publisher identifier 3308 
carries out retrieval collating of whether it is the identifier of the known 
authentication server 31 (or license server 32) and sends collating result 333i to 
comparison means 333G. 

[0106] Public key system decode means 333J use server public key 333j for a decode 
key, decrypt 333g of digital signatures, and send them to comparison means 333G as 
hash value 333for comparison k. Comparison means 333G output the verification 
result 3304 based on whether collating result 333i shows coincidence or the hash 
value of 333h and hash value 333k for a comparison are in agreement. Each that the 
verification result 3304 shows those without an error is the case of being in 
agreement. 

[0107] Thus, when an authentication system takes the configuration of this operation 
gestalt, even if a client side is low equipment of computation capacity, it becomes 
possible to perform use license processing by the practical processing time. 
[0108] (Gestalt of the 5th operation) The 5th operation gestalt explains the block 



configuration of each means to perform the concrete communication procedure and 
concrete it in the authentication system of the 3rd operation gestalt. 
[0109] Drawing 1 1 is the protocol sequence diagram showing the protocol of the 
authentication system in the 5th operation gestalt. It is to differ from drawing 4 in 
drawing 1 1 with the client means 41 with a user interface, and an authentication 
server means 42 to perform user authentication, and the license server means 33 
does not have a change, moreover The authentication challenge response 
Response401 minds a user interface. The point accompanied by the exclusive-OR 
result (a notation "@" shows EXCLUSIVE OR operation) of the result of having 
performed one step of hash operation H to connection by Password PW and the 
random number R0 which were inputted, and the random number SO for 
authentication which the client means 41 generated in secrecy, The point that the 
hash result of an operation by which the authentication ticket 402 and Ticket 403 is 
accompanied is n steps of hash results of an operation to the random number SO for 
authentication, It differs in that the hash result of an operation by which the license 
challenge response Response404 is accompanied is the hash operation of the n-k 
stage to the random number SO for authentication. 

[01 10] By the above protocol sequences, the client means 41 can obtain use license 
to n times using the authentication ticket 402, and is not set even as the attack 
object for stealing the password PW by the inaccurate third person, since the 
authentication tickets 402 are contents unrelated to Password PW, without revealing 
Password PW to a third person including the license server means 33, but safety is 
more high. 

[01 1 1] It explains referring to the functional block diagram of drawing 12 about the 
configuration with such a protocol sequence of an authentication system. 
[01 12] Also in drawing 1 2 , an authentication server means 42 to perform the client 
means 41 and user authentication with a user interface differs from drawing 5 , and 
the license server means 33 does not have a change. Moreover, differing from the 
client means 31 of drawing 5 in the client means 41 establishes a random-number 
generation means 41 1 for authentication to generate a random number for every user 
authentication processing, and the 1st exclusive-OR means 412 which performs 
EXCLUSIVE OR operation for every bit, and it is in the point of having changed a part 
of connection. Moreover, differing from the authentication server means 32 of drawing 
5 in the authentication server means 42 establishes the 2nd exclusive-OR means 422 
which performs EXCLUSIVE OR operation for every 2nd 421 bit hash means which 
performs the hash operation H instead of the 2nd multistage hash means 325 and the 
authentication collating means 326, and the 2nd multistage hash means 423 which 
performs the hash operation H of the given number of stages, and it is in the point of 
having changed a part of connection. As a random-number generation means 41 1 for 
authentication, the arithmetic circuit which incorporated the random-number 
generation algorithm, for example, or the inverter which data-izes an electromagnetic 



noise can be used. As 1st and 2nd exclusive-OR means 412 and 422, a logical circuit 
can be used, for example. As 2nd hash means 421, the arithmetic circuit which 
incorporated the algorithm of the hash operation H, for example can be used. The 
counter which counts the connection which feeds back an output, for example to the 
same arithmetic circuit as 421, and a number of stages as 2nd multistage hash means 
423 can be added and constituted. In addition, each above-mentioned means may be 
realized using the computer program on a microcomputer or a general purpose 
computer. Or the computer program may be recorded on a program documentation 
medium in the format in which read is possible, and the configuration combined with 
the program documentation medium reader may realize. 

[01 13] It explains referring to drawing 13 about actuation of the authentication 
system constituted as mentioned above. Here, the case where authentication demand 
Authenticate Request301 is accompanied by the count n of authentication ticket 
effective is explained. 

[01 14] First, in the client means 41 and the authentication server means 42, actuation 
of the 1st, the 2nd transceiver means 311 and 321, the input means 312, the ticket 
maintenance means 314, the processing selection means 315, the authentication 
information storage means 323, and the random-number generation means 324 is the 
same as that of the case of drawing 5 and drawing 6 . It is exchanged in 
authentication demand Authenticate Request301 and the authentication challenge 
Challenge302. In the client means 41 the notice 4101 of user authentication 
processing starting or the notice 3104 of use license procedure starting In the 
authentication server means 42, the count 4201 of effective, the server identifier 
3203, a password 3204, the notice 4202 of a retrieval result, and the challenge random 
number 3206 are obtained. However, the point that the notice 4101 of user 
authentication processing starting is sent to said input means 312, the random- 
number generation means 411 for authentication, and the 1st exclusive-OR means 
412, The point that the count 4201 of effective is sent to the 2nd multistage hash 
means 423 and the authentication child addition means 328, The point that the notice 
4202 of a retrieval result is sent to the 2nd hash means 421, the random-number 
generation means 324, and the ticket identifier generation means 327, While the 
challenge random number 3206 is sent to the 2nd hash means 421, the points sent to 
the client means 41 through the 2nd transceiver means 321 differ. 
[0115] Next, in the client means 41, if the notice 4101 of user authentication 
processing starting is given, the random-number generation means 41 1 for 
authentication will newly generate the random number 4102 for authentication used 
for attested certification on random and the secret reverse side, and will send it to 
the 1st exclusive-OR means 412 and secret storage means 316 (ST4101). The secret 
storage means 316 memorizes the random number 4102 for authentication in secrecy, 
and permits only predetermined access, i.e., the renewal of an addition in a user 
authentication procedure and the reference in a use license procedure, (ST4102). If 



the notice 4101 of user authentication processing starting is given, between the hash 
values 4103 and the random numbers 4102 for authentication which were obtained 
from the hash means 313, the 1st exclusive-OR means 412 will perform EXCLUSIVE 
OR operation for every bit, and will send the disturbance hash value 4104 obtained as 
a result to the authentication server means 42 as authentication challenge response 
Response401 through the 1 st transceiver means 311 (ST4103, ST4104). 
[01 16] On the other hand, in the authentication server means 42, it is received by the 
2nd transceiver means 321, the disturbance hash value 4204 is taken out, and the 
authentication challenge response Response401 is sent to the 2nd exclusive-OR 
means 422 (ST4202). On the other hand, when the notice 4202 of a retrieval result 
shows owner **, the 2nd hash means 421 performs the hash operation H to 
connection by the password 3204 and the challenge random numbers 3206, and 
supplies the hash value 4203 of a result to the 2nd exclusive-OR means 422 
(ST4201). The 2nd exclusive-OR means 422 performs EXCLUSIVE OR operation for 
every bit between the hash values 4203 and the disturbance hash values 4204 which 
were obtained from the 2nd hash means 421, and sends the random number 4205 for 
authentication obtained as a result to the 2nd multistage hash means 423 (ST4203). 
The 2nd multistage hash means 423 performs the hash operation H of a number of 
stages equivalent to the count 4201 of effective to the random number 4205 for 
authentication, and sends the multistage hash value 4206 of a result to the 
authentication child addition means 328 (ST4204). 

[01 1 7] the following and ticket identifier generation means 327 and authentication — 
a time check — actuation of a means 322 and the authentication child addition means 
328, although it is the same as that of the case of drawing 4 and drawing 5 The point 
of using the notice 4202 of a retrieval result instead of the ticket identifier generation 
means 327 being as a result of [ 3209 ] collating, It differs in that the count 4201 of 
effective and the multistage hash value 4206 are used instead of the authentication 
child addition means 328 being the count 3202 of effective, and the multistage hash 
value 3210. The authentication ticket data 4207 of contents which are different in the 
authentication ticket data 3213 are obtained (ST4205), and it is sent to the client 
means 41 as an authentication ticket Ticket402 through the 2nd transceiver means 
321. 

[01 18] On the other hand, in the client means 41, when it operates like the case 
where said 1st transceiver means 311 and said ticket maintenance means 314 are 
drawing 5 and drawing 6 and the notice 3104 of use license procedure starting is 
given, the authentication ticket Ticket403 is sent to the license server means 33 with 
the license demand Authorize Request, and the count 31 12 of effective is supplied to 
the multistage hash means 317. 

[01 19] Actuation of the license server means 33 against this is the same as that of 
the case of drawing 5 and drawing 6 , and the license challenge Challenge306 is 
returned. 



[0120] On the other hand, in the client means 41, it operates like the case where said 
1st transceiver means 31 1 and the multistage hash means 317 are drawing 5 and 
drawing 6 . However, it is the random number 4105 for authentication which is 
obtained from said secret storage means 316 (ST4105), and processing is performed 
to this. That is, the hash operation H of the number of stages with which the 
multistage hash means 317 is equivalent to the difference of the count 31 12 of 
effective and the count 31 15 of use is performed (ST4106), and the multistage hash 
value 4106 of a result is sent to the license server means 33 as license challenge 
response Response404 through the 1st transceiver means 31 1 (ST4107). 
[0121] It is only that, as for the multistage hash value by which the license challenge 
response Response404 which the license server means 33 obtains by this is 
accompanied, and the multistage hash value by which the authentication ticket 
Ticket403 is accompanied, the candidates for a hash differ in the case of drawing 5 
and drawing 6 , and the operation relation between the former and the latter is 
maintained. Therefore, actuation of the license server means 33 against this is the 
same as that of the case of drawing 5 and drawing 6 , and it is good, the relation of 
two multistage hash values is checked, if it admits being just, the notice Result308 of 
license will be returned, and it is received in the client means 41. By this approach, 
without revealing Password PW to a third person including the license server means 
33, Password PW of the client means 41 is unrelated, and it can obtain use license to 
n times using the higher authentication ticket 402 of safety. 
[0122] In addition, although considered as the configuration which calculates a 
multistage hash value in the client means 41 at every use license procedure in the 
above explanation, it is good also as a configuration which carries out precomputation 
of the multistage hash value of all number of stageses at the time of acquisition of an 
authentication ticket, and is memorized for the secret storage means 316. In that 
case, the processing time for every use license procedure of what needs to use the 
mass Tampa-proof nature memory device as a secret storage means 316 can be 
shortened more. 

[0123] Thus, when an authentication system takes the configuration of this operation 
gestalt, even if a client side is low equipment of computation capacity, it becomes 
possible to perform use license processing by the practical processing time. Moreover, 
since the collating information included in an authentication ticket becomes unrelated 
to user authentication information, possibility that user authentication information will 
be guessed disappears from an authentication ticket, and the authentication approach 
of a single sign-on mold and an authentication system with more high safety are 
obtained. 

[0124] (Gestalt of the 6th operation) In the authentication system of the 6th 
operation gestalt, the authentication ticket with which the count of use was updated 
is sent to a client means with the notice of license from a license server. 
[0125] Drawing 14 is the protocol sequence diagram showing the protocol of this 



authentication system. In drawing 14 , the client means 51 and the license server 
means 53 differ from drawing 4 , and the authentication server means 32 does not 
have a change. Moreover, it differs in that the authentication ticket Ticket501 
updated by the client means 51 with the notice Result308 of license from the license 
server 53 is sent. 

[0126] Compared with the authentication ticket 305, as for this authentication ticket 
Ticket501, the following point is different. 

[0127] That is, the n+1-step hash result of an operation in the authentication ticket 
305 is transposed to the +1 step of n-k hash result of an operation (k is a count of 
use). The count n of effective in the authentication ticket 305 remains, and it is 
transposed to count n-k of available. The time stump TS 0 is transposed to the new 
time stump TSk. The publisher identifier IID is transposed to the server identifier 
which shows license server 53 self. Furthermore, a new authentication child is added. 
[0128] By this approach, the client means 51 can obtain use license to n times using 
the authentication ticket 304 or the updated authentication ticket 501 , without 
revealing Password PW to a third person including the license server means 53. 
Moreover, since the time stump of an authentication ticket is updated each time, an 
expiration date can be set up shorter. Therefore, the period which can become a 
candidate for an attack by the inaccurate third person becomes short, and safety is 
more high. Moreover, since one step is available for the hash operation in the license 
server means 53, the response time in a use license procedure can be shortened. 
[0129] It explains referring to drawing 15 about the configuration with such a protocol 
sequence of an authentication system. 

[0130] In drawing 15 , the client means 51 and the license server means 53 differ 
from drawing 5 , and the authentication server means 32 does not have a change. 
Moreover, differing from the client means 31 of drawing 5 in the client means 51 has 
the ticket maintenance means 51 1 in the point of having enabled it to also hold the 
authentication ticket data 5101 of the authentication ticket Ticket501 from the 
license server means 53. Moreover, differing from the license server means 33 of 
drawing 5 in the license server means 53 establishes the 3rd hash means 532 which 
the ticket use management tool 531 shall remain, shall also output the count of 
available, and performs one step of hash operation H instead of the 3rd multistage 
hash means 336, the 2nd authentication child addition means 533 which generates 
and adds the authentication child to an authentication ticket newly establishes, and it 
is to the point of having changed a part of connection. 

[0131] As this ticket maintenance means 51 1, the same configuration as the ticket 
maintenance means 314 can add and use connection. As a ticket use management 
tool 531, the same configuration as the ticket use management tool 335 can add and 
use connection. As 3rd hash means 532, the arithmetic circuit which incorporated the 
algorithm of the hash operation H, for example can be used. As 2nd authentication 
child addition means 533, the same configuration as the authentication child addition 



means 328 can be used. In addition, each above-mentioned means may be realized 
using the computer program on a microcomputer or a general purpose computer. Or 
the computer program may be recorded on a program documentation medium in the 
format in which read is possible, and the configuration combined with the program 
documentation medium reader may realize. 

[0132] It explains referring to drawing 16 about actuation of the authentication 
system constituted as mentioned above. Here, the case where authentication demand 
Authenticate Request301 is accompanied by the count n of authentication ticket 
effective is explained. 

[0133] First, the actuation in the client means 51 and the authentication server 
means 32 is the same as that of the case of drawing 5 and drawing 6 , a user 
authentication procedure is performed and, finally the authentication ticket Ticket304 
is sent to the client means 51 from the authentication server means 32. 
[0134] On the other hand, in the client means 51, the 1st transceiver means 31 1 
operates like the case of drawing 5 and drawing 6 , the count 31 1 2 of effective is 
taken out from authentication ticket data, and the ticket maintenance means 51 1 is 
sent to the multistage hash means 317 while operating like drawing 5 and the ticket 
maintenance means 314 in the case of drawing 6 and sending the authentication 
ticket Ticket305 to the license server means 53 with the license demand Authorize 
Request. 

[0135] on the other hand, the license server means 53 — setting — the 3rd 
transceiver means 331 and license — a time check — a means 332, the 
authentication child verification means 333, and the ticket effective judging means 
334 operate like the case of drawing 5 and drawing 6 , and supply the ticket identifier 
3305, the multistage hash value 3306, the count 3307 of effective, the publisher 
identifier 3308, and the ticket effective notice 3310 to the ticket use management 
tool 531. The ticket use management tool 531 operates almost like drawing 5 and the 
ticket use management tool 335 in the case of drawing 6 . Although the count 5301 of 
use is sent to the client means 51 as it is as license challenge Challenge306 through 
the 3rd transceiver means 331 at the license collating means 337 by making delivery 
and the multistage hash value 3306 into the multistage hash value 5302 Furthermore, 
it remains with a ticket identifier, the group 5303 of the count of available and a 
server identifier is outputted, and it sends to the 2nd authentication child addition 
means 533. 

[0136] Actuation of the client means 51 against this is the same as that of the case 
of drawing 5 and drawing 6 , and the license challenge response Response307 is 
returned to the license challenge Challenge306. 

[0137] On the other hand, in the license server means 53, it is received by the 3rd 
transceiver means 331, the multistage hash value 5304 is taken out, and the license 
challenge response Response307 is sent to the 3rd hash means 532 and the 2nd 
authentication child addition means 533. The 3rd hash means 532 performs the hash 



operation H to the multistage hash value 5304, and sends the secondary multistage 
hash value 5305 whose number of stages of a hash increased by one to the license 
collating means 337 (ST5301). The license collating means 337 performs the 
coincidence judging with the multistage hash value 5302 and the secondary multistage 
hash value 5305 (ST5302, ST3316), and sends the collating result 5307 to the 2nd 
authentication child addition means 533. 

[0138] license — a time check — the means 322 has clocked current time and 
supplies the time stump 5306 based on current time to the 2nd authentication child 
addition means 533. The 2nd authentication child addition means 533 connects the 
publisher identifier which remains with a ticket identifier and shows count [ of 
available ], group [ of a server identifier ] 5303, multistage hash value 5304, time 
stump 5306, and license server 53 self. On the other hand, an authentication child is 
generated and added, and it considers as the authentication ticket data 5308 
(ST5303), and sends to the client means 51 with the notice Result308 of license as 
an authentication ticket Ticket501 through the 3rd transceiver means 331 (ST5304). 
[0139] On the other hand, in the client means 51, it is received by the 1st transceiver 
means 31 1, and as authentication ticket data 5101, the authentication ticket 
Ticket501 is sent to said ticket maintenance means 51 1, is held (ST5101, ST5102), 
and is used in a next use license procedure. 

[0140] Since, as for a decrease, the number of stages goes every [ 1 ] for every use 
license in the multistage hash value by which the authentication ticket 305 sent to 
the license server means 53 from the client means 51 by this is accompanied, with 
the license server means 53, the response time can be shortened that what is 
necessary is just to perform one step of hash operation. Moreover, since a time 
stump is updated, it can set to the shortness of extent which can cover spacing of 
access to an expiration date, for example, 1 hour, and user convenience can raise 
safety, without making it fall. By this approach, the client means 31 can obtain use 
license in the shorter response time to n times using the higher authentication ticket 
305 of safety, without revealing Password PW to a third person including the license 
server means 53. 

[0141] In addition, although considered as the configuration which calculates a 
multistage hash value in the client means 51 at every use license procedure in the 
above explanation, it is good also as a configuration which carries out precomputation 
of the multistage hash value of all number of stageses at the time of acquisition of an 
authentication ticket, and is memorized for the secret storage means 316. In that 
case, the processing time for every use license procedure of what needs to use the 
mass Tampa-proof nature memory device as a secret storage means 316 can be 
shortened more. 

[0142] Thus, in the authentication system of the gestalt of this operation, possibility 
of the unauthorized use by the third person can be made smaller, and the response 
time of use license can be shortened. 



[0143] (Gestalt of the 7th operation) An authentication ticket can be used for the 
authentication system of the 7th operation gestalt in common to two or more license 
servers. 

[0144] Drawing 1 7 is the protocol sequence diagram showing the protocol of this 
authentication system. In drawing 17 , the client means 61, the authentication server 
means 62, and the license server means 63 differ from drawing 4 , and it has added 
the authentication ticket management tool 64 further, moreover The authentication 
challenge response Response303 The authentication ticket shelf registration 
directions Registration601 accompanied by the ticket identifier TID and the server 
identifier SID which the carrier beam authentication server means 62 took out from 
authentication demand Authenticate Request301, and the count n of effective The 
point sent to the authentication ticket management tool 64, the point accompanied by 
the count k of use in the license demand Authorize Request602, The license demand 
Authorize Request602 And the authentication ticket Ticket305 The renewal directions 
Update603 of authentication ticket hysteresis accompanied by the ticket identifier 
TID and the server identifier SID which the carrier beam license server means 63 took 
out from the license demand Authorize Request602 and the authentication ticket 305, 
and the count k of use The point sent to the authentication ticket management tool 
64, the point that the notice Reject606 of authentication ticket refusal is returned if 
needed to this. The point accompanied by the random number Rk generated so that it 
might differ each time instead of the license challenge Challenge604 being the count k 
of use, The points accompanied by the result of having carried out EXCLUSIVE OR 
operation with Rk to the result to which the license challenge response Response605 
performed the hash operation H of +one step of n-k to connection by Password PW 
and random numbers R0 further differ. 

[0145] Since it checks with the authentication ticket management tool 64 which the 
client means 61 could obtain use license to n times using the authentication ticket 
304, sent the count k of use from the client means 61, without revealing Password 
PW to a third person including the license server means 63, and became independent 
in the license server means 63 by this approach, the authentication ticket 304 can be 
made available in common with two or more license server means 63. 
[0146] It explains referring to drawing 1 8 about the configuration with this protocol 
sequence of an authentication system. Also in drawing 18 , the client means 61, the 
authentication server means 62, and the license server means 63 differ from drawing 
5 , and it has added the authentication ticket management tool 64 further. Moreover, 
differing from the client means 31 of drawing 5 in the client means 61 forms the ticket 
maintenance management tool 61 1 which manages the count k of use instead of the 
ticket maintenance means 314 while holding an authentication ticket, and it 
establishes the 1st exclusive-OR means 612 which performs EXCLUSIVE OR 
operation for every bit, and is in the point of having changed a part of connection. 
Moreover, differing from the authentication server means 32 of drawing 5 in the 



authentication server means 62 establishes a ticket registration directions means 621 
to generate authentication ticket shelf registration directions data, and it is in the 
point of having changed a part of connection. 

[0147] Moreover, differing from the license server means 33 of drawing 5 in the 
license server means 63 A renewal directions means 631 of a ticket to generate the 
renewal directions data of authentication ticket hysteresis while remaining with the 
ticket identifier of an authentication ticket and the count of effective, receiving the 
count of available and supplying each part is established instead of the ticket use 
management tool 335. The 2nd exclusive-OR means 633 which performs EXCLUSIVE 
OR operation for every 2nd 632 bit random-number generation means which 
generates a random number for every use license processing is established, and it is 
in the point of having changed a part of connection. 

[0148] As this ticket maintenance management tool 61 1, the adder circuit which 
calculates the count of use is added to the same configuration as the ticket 
maintenance means 335, and it is constituted. As 1st and 2nd exclusive-OR means 
612 and 633, a logical circuit can be used, for example. As a ticket registration 
directions means 621, a logical circuit cun be used, for example. As a renewal 
directions means 631 of a ticket, a logical circuit can be used, for example. As 2nd 
random-number generation means 632, the same configuration as the random-number 
generation means 324 can be used. The combination of the arithmetic circuit and 
comparator circuit which collate various communication-interface equipments, the 
logical circuit which performs division association of data, and the count of use as an 
authentication ticket management tool 64, and a mass memory device can constitute. 
In addition, each above-mentioned means may be realized using the computer 
program on a microcomputer or a general purpose computer. Or the computer 
program may be recorded on a program documentation medium in the format in which 
read is possible, and the configuration combined with the program documentation 
medium reader may realize. 

[0149] It explains referring to drawing 19 about actuation of the authentication 
system constituted as mentioned above. Here, the case where authentication demand 
Authenticate Request301 is accompanied by the count n of authentication ticket 
effective is explained. 

[0150] First, the actuation in the client means 61 in a user authentication procedure 
and the authentication server means 62 is the same as that of the case of drawing 5 
and drawing 6 almost, and, finally the authentication ticket Ticket304 is sent to the 
client means 61 from the authentication server means 62. However, in the client 
means 61, the ticket maintenance management tool 61 1 operates the ticket 
maintenance means 314 at this time. Moreover, the count 6201 of effective taken out 
from authentication demand Authenticate Request301 is sent also to a ticket 
registration directions means 621 besides the multistage hash means 325 and the 
authentication child addition means 328, a server identifier 6202 is sent also to a 



ticket registration directions means 621 besides the authentication child addition 
means 328, and the ticket identifier 6203 generated with the ticket identifier 
generation means 327 is sent in an authentication server means 62 also to a ticket 
registration directions means 621 besides the authentication child addition means 328. 
[0151] The ticket registration directions means 621 connects the ticket identifier 
6203, the server identifier 6202, and the count 6201 of effective, generates the 
authentication ticket shelf registration directions data 6204, and sends them to the 
authentication ticket management tool 64 as authentication ticket shelf registration 
directions Registration601 through the 2nd transceiver means 321 (ST6201). It 
investigates whether when the ticket list is managed and the authentication ticket 
shelf registration directions Registration601 are given, the authentication ticket 
management tool 64 which received this uses a ticket identifier, searches under a 
ticket list, and is already registered. If there is nothing corresponding, the group of the 
count of effective as a value which remains with a ticket identifier and the count of 
effective, and shows the count of available will be added to a ticket list, and will be 
memorized. 

[0152] On the other hand, in the client means 61, it is received by the 1st transceiver 
means 31 1, the authentication ticket data 31 10 are taken out, and the authentication 
ticket Ticket304 is sent to the ticket maintenance management tool 61 1. Match the 
ticket maintenance management tool 61 1 with the server identifier 3101, and it holds 
the authentication ticket data 31 10. Remain and the count of effective taken out from 
authentication ticket data is managed to coincidence as a count of available (ST6101). 
When the notice 6101 of use license procedure starting is given, the 1st transceiver 
means 31 1 is minded for the authentication ticket data 31 1 1 . As an authentication 
ticket Ticket305 The 1st (ST6102) transceiver means 31 1 is minded for the count 
6102 of use obtained by lengthening from the count of effective taken out from the 
authentication ticket after remaining and reducing the count of available one. 
Moreover, as license demand Authorize Request602 Delivery (ST6103) and the count 
31 12 of effective taken out from authentication ticket data are further sent to the 
license server means 63 at the multistage hash means 317. 

[0153] On the other hand, in the license server means 63, it is received by the 3rd 
transceiver means 331 and the authentication ticket data 3301 are taken out it is 
sent to the authentication child verification means 333, the count 6301 of use is 
taken out, and the authentication ticket Ticket305 and the license demand Authorize 
Request602 are sent to the renewal directions means 631 of a ticket (ST6301). 
license — a time check — a means 332, the authentication child verification means 

333, and the ticket effective judging means 334 operate almost like the case of 
drawing 5 and drawing 6 , however the server identifier 6302 is sent also to the 
renewal directions means 631 of a ticket besides the ticket effective judging means 

334, and the effective notice 6303 is sent to the renewal directions means 631 of a 
ticket, and the 2nd random-number generation means 632. if, as for the renewal 



directions means 631 of a ticket, the effective notice 6303 is given — the ticket 
identifier 3305, the server identifier 6302, and the count 6301 of use — connecting — 
the renewal directions data 6304 of authentication ticket hysteresis — generating — 
the 3rd transceiver means 331 — minding — as the renewal directions Update603 of 
authentication ticket hysteresis — the authentication ticket management tool 64 — 
sending (ST6302) — it sends to the 3rd multistage hash means 336 as it is by making 
the count 6301 of use into the count 6306 of use. When the renewal directions 
Update603 of authentication ticket hysteresis are given, the authentication ticket 
management tool 64 Search under a ticket list using a ticket identifier, and the value 
which shows the corresponding count of effective It is confirmed that it is in 
agreement with the sum total with the count of use by which the corresponding value 
and the corresponding renewal directions Update603 of authentication ticket 
hysteresis which remain and show the count of available are accompanied. If right, the 
value which shows the count of remaining available under ticket list will be reduced 
one, and if not right, the notice Reject606 of authentication ticket refusal is returned. 
The notice 606 of authentication ticket refusal is sent to said renewal directions 
means 631 of a ticket as notice data 6305 of authentication ticket refusal through the 
3rd transceiver means 331 in the license server means 63. Although the renewal 
directions means 631 of a ticket is sent to the license collating means 337 as it is by 
making the multistage hash value 3306 into the multistage hash value 3312, if the 
notice data 6305 of authentication ticket refusal are given, it will inhibit this. The 2nd 
random-number generation means 632 is sent to the client means 61 as license 
challenge Challenge604 through the 3rd transceiver means 331 while it will newly 
generate the challenge random number 6307 for data disturbance at random and will 
send it to the 2nd exclusive-OR means 633, if the effective notice 6303 is given 
(ST6303). 

[0154] On the other hand, in the client means 61, it is received by the 1st transceiver 
means 31 1, the challenge random number 6103 is taken out, and the license challenge 
Challenge604 is sent to the 1st exclusive-OR means 612 (ST6104). When the notice 
6101 of use license procedure starting is given, from said secret storage means 316, 
the multistage hash means 317 obtains a hash value 31 13, performs the hash 
operation H of the number of stages which is equivalent to the difference of the 
count 31 12 of effective, and the count 6102 of use at a hash value 31 13, and sends 
the multistage hash value 6104 of a result to the 1st exclusive-OR means 612. When 
the notice 6101 of use license procedure starting is given, the 1st exclusive-OR 
means 612 performs EXCLUSIVE OR operation for every bit between the multistage 
hash value 6104 and the challenge random number 6103, generates the disturbance 
multistage hash value 6105, and sends it to the license server means 63 as license 
challenge response Response605 through the 1st transceiver means 31 1 (ST6105, 
ST6106). As long as it, on the other hand, has tropism, the die length of a result, and 
random nature, since the third person whose hash operation H is insurance enough 



and who does not know Password PW, a random number RO, and a challenge random 
number cannot calculate this disturbance multistage hash value 6105, it is shown that 
it is the valid user which gets to know Password PW by this disturbance multistage 
hash value 6105. Moreover, since many number of stageses of the hash operation H in 
a multistage hash value are performed so that it went back in the past and the 
following multistage hash value is also incalculable from this multistage hash value 
6104, there is also no need for encryption. In addition, generally a hash operation is 
made more nearly high-speed 1 00 or more times than a code operation, and if it is a 
suitable number of stages, it can process at a high speed rather than the case where 
a code is used. 

[0155] On the other hand, in the license server means 63, it is received by the 3rd 
transceiver means 331, the disturbance multistage hash value 6308 is taken out, and 
the license challenge response Response605 is sent to the 2nd exclusive-OR means 
633 (ST6304). The 2nd exclusive-OR means 633 performs EXCLUSIVE OR operation 
for every bit between the challenge random number 6307 and the disturbance 
multistage hash value 6308, obtains the multistage hash value 6309, and sends it to 
the 3rd multistage hash means 336 (ST6305). The 3rd multistage hash means 336 
performs the hash operation of the number of stages equivalent to the count 6306 of 
use to the multistage hash value 6309, and sends the secondary multistage hash 
value 3314 of a result to the license collating means 337. The license collating means 
337 operates like the case of drawing 5 and drawing 6 , and the client means 61 
receives the notice data 3315 of license in delivery and the client means 61 through 
the 3rd transceiver means 331 as notice Result308 of license. However, it is not this 
limitation when supply of the multistage hash value 3312 is inhibited by reception of 
the notice Reject606 of authentication ticket refusal (ST6306, ST6307). By this 
approach, the client means 61 can obtain use license to two or more license server 
means using the authentication ticket 305 to n times, without revealing Password PW 
to a third person including the license server means 63. 

[0156] In addition, although considered as the configuration which calculates a 
multistage hash value in the client means 61 at every use license procedure in the 
above explanation, it is good also as a configuration which carries out precomputation 
of the multistage hash value of all number of stageses at the time of acquisition of an 
authentication ticket, and is memorized for the secret storage means 316. In that 
case, the processing time for every use license procedure of what needs to use the 
mass Tampa-proof nature memory device as a secret storage means 316 can be 
shortened more. 

[0157] Thus, the authentication system of the high single sign-on mold of 
convenience which can use an authentication ticket in common to two or more 
license servers under the method with which an authentication ticket is not updated 
can consist of this operation gestalt. 

[0158] (Gestalt of the 8th operation) The authentication system of the 8th operation 



gestalt can carry out distributed management of the use of an authentication ticket. 
[0159] Drawing 20 is the protocol sequence diagram showing the protocol of this 
authentication system. In drawing 20 , the client means 71, the authentication server 
means 72, and the license server means 73 differ from drawing 14 , and it has added 
the 2nd license server means 74 further. Moreover, the point accompanied by the 
count k of use in the license demand Authorize Request701, The license demand 
Authorize Request701 And the authentication ticket Ticket305 The authentication 
ticket hysteresis enquiry Inquiry702 accompanied by the ticket identifier TID and the 
server identifier SID which the carrier beam license server means 73 took out from 
the license demand Authorize Request701 and the authentication ticket 305, and the 
count k of use The point sent to the authentication server means 72 or the 2nd 
license server means 74, the point that the notice Reject705 of authentication ticket 
refusal is returned if needed to this, The point accompanied by the random number Rk 
generated so that it might differ each time instead of the license challenge 
Challenge703 being the count k of use, The points accompanied by the result of 
having carried out EXCLUSIVE OR operation with Rk to the result to which the 
license challenge response Response704 performed the hash operation H of +one 
step of n-k to connection by Password PW and random numbers R0 further differ. 
[0160] By this approach, the client means 71, without revealing Password PW to a 
third person including the license server means 73 and the 2nd license server meansN 
74 Use license can be obtained to n times using the authentication ticket 304 or the 
updated authentication ticket 501. In order to send and check the count k of use for 
the authentication server means 72 or the 2nd updated license server means 74 
which the authentication ticket was published through the license server means 73 
from the client means 71, The authentication ticket 304 can be made available in 
common with two or more license server means 73 and 74, and the traffic of check 
processing can be decentralized. 

[0161] It explains referring to drawing 21 about the configuration with such a protocol 
sequence of an authentication system. Also in drawing 21 , the client means 71, the 
authentication server means 72, and the license server means 73 differ from drawing 
15 , and it has added the 2nd license server means 74 further. Moreover, differing 
from the client means 51 of drawing 1 5 in the client means 71 forms the ticket 
maintenance management tool 71 1 which manages the count k of use instead of the 
ticket maintenance means 51 1 while holding an authentication ticket, and it 
establishes the 1st exclusive-OR means 712 which performs EXCLUSIVE OR 
operation for every bit, and is in the point of having changed a part of connection. 
Moreover, differing from the authentication server means 32 of drawing 1 5 in the 
authentication server means 72 forms the ticket issue management tool 721 which 
manages issue of an authentication ticket and is answered to enquiry, and it is in the 
point of having changed a part of connection. Moreover, differing from the license 
server means 53 of drawing 15 in the license server means 73 The renewal 



management tool 731 of a ticket which manages renewal of an authentication ticket 
and is answered to enquiry while remaining with the ticket identifier of an 
authentication ticket and the count of effective, receiving the count of available and 
supplying each part is formed instead of the ticket use management tool 531. The 2nd 
exclusive-OR means 733 which performs EXCLUSIVE OR operation for every 2nd 732 
bit random-number generation means which generates a random number for every 
use license processing is established, and it is in the point of having changed a part of - 
connection. The 2nd license server means 74 has the same configuration as the 
license server means 73. 

[0162] It can be used as a ticket maintenance management tool 71 1, being able to 
add the adder circuit which calculates the count of use to the same configuration as 
the ticket maintenance means 51 1. As 1st and 2nd exclusive-OR means 712 and 733, 
a logical circuit can be used, for example. The combination of the arithmetic circuit 
and comparator circuit which collate the logical circuit which performs division 
association of data, for example, and the count of use as a ticket issue management 
tool 721, and a mass memory device can constitute. The combination of the 
arithmetic circuit and comparator circuit which collate the logical circuit which 
performs division association of data, for example, and the count of use as a renewal 
management tool 731 of a ticket, and a mass memory device can constitute. As 2nd 
random-number generation means 732, the same configuration as the random-number 
generation means 324 can be used. In addition, each above-mentioned means may be 
realized using the computer program on a microcomputer or a general purpose 
computer. Or the computer program may be recorded on a program documentation 
medium in the format in which read is possible, and the configuration combined with 
the program documentation medium reader may realize. 

[01 63] It explains referring to drawing 22 about actuation of the authentication 
system constituted as mentioned above. Here, the case where authentication demand 
Authenticate Request301 is accompanied by the count n of authentication ticket 
effective is explained. 

[0164] First, the actuation in the client means 71 in a user authentication procedure 
and the authentication server means 72 is the same as that of the case of drawing 15 
and drawing 16 almost, and, finally the authentication ticket Ticket304 is sent to the 
client means 71 from the authentication server means 72. However, in the client 
means 71, the ticket maintenance management tool 71 1 operates the ticket 
maintenance means 51 1 at this time. Moreover, in the authentication server means 72, 
the count 7201 of effective taken out from authentication demand Authenticate 
Request301 is sent also to the ticket issue management tool 721 besides the 
multistage hash means 325 and the authentication child addition means 328, the 
server identifier 7202 is sent also to the ticket issue management tool 721 besides 
the authentication child addition means 328, and the ticket identifier 7203 generated 
with the ticket identifier generation means 327 is sent also to the ticket issue 



management tool 721 besides the authentication child addition means 328. The ticket 
issue management tool 721 has managed the published ticket list, and the group of 
the count 7201 of effective as a value which remains with the ticket identifier 7203, 
the server identifier 7202, and the count 7201 of effective, and shows the count of 
available is added to a ticket list, and it memorizes it (ST7201). 

[0165] On the other hand, in the client means 71, it is received by the 1st transceiver 
means 31 1, the authentication ticket data 31 10 are taken out, and the authentication 
ticket Ticket304 is sent to said ticket maintenance management tool 71 1. Match said 
ticket maintenance management tool 71 1 with the server identifier 3101, and it holds 
the authentication ticket data 31 10. Remain and the count of effective taken out from 
authentication ticket data is managed to coincidence as a count of available (ST7101). 
When the notice 7101 of use license procedure starting is given, the 1st transceiver 
means 31 1 is minded for the authentication ticket data 31 1 1. As an authentication 
ticket Ticket305 The 1st (ST7102) transceiver means 31 1 is minded for the count 
7102 of use obtained by lengthening from the count of effective taken out from the 
authentication ticket after remaining and reducing the count of available one. 
Moreover, as license demand Authorize Request701 Delivery (ST7103) and the count 
31 12 of effective further taken out from authentication ticket data are sent to the 
license server means 73 at the multistage hash means 317, respectively. 
[0166] On the other hand, in the license server means 73, it is received by the 3rd 
transceiver means 331 and the authentication ticket data 3301 are taken out, it is 
sent to the authentication child verification means 333, the count 7301 of use is 
taken out, and the authentication ticket Ticket305 and the license demand Authorize 
Request701 are sent to the renewal management tool 731 of a ticket (ST7301). 
[0167] license — a time check — a means 332, the authentication child verification 
means 333, and the ticket effective judging means 334 operate almost like the case of 
drawing 15 and drawing 1 6 , however the server identifier 7302 is sent also to the 
renewal management tool 731 of a ticket besides the ticket effective judging means 
334, and the effective notice 7303 is sent to the renewal management tool 731 of a 
ticket, and the 2nd random-number generation means 732. If the published ticket list 
is managed and the effective notice 7303 is given, the renewal management tool 731 
of a ticket Connect the ticket identifier 3305, the server identifier 7302, and the 
count 7301 of use, and the authentication ticket hysteresis enquiry data 7304 are 
obtained. While sending the authentication ticket hysteresis enquiry Inquiry702 to the 
authentication server means 72 or the 2nd license server means 74 which the 
publisher identifier 3308 shows through the 3rd transceiver means 331 The group of 
the count 7301 of effective as a value which remains with the ticket identifier 3305, 
the server identifier 7302, and the count 7301 of effective, and shows the count of 
available is added to a ticket list, and is memorized (ST7302). 

[0168] With the authentication server means 72 which received this, it is received by 
the 2nd transceiver means 321 and the authentication ticket hysteresis enquiry 



Inquiry702 is sent to said ticket issue management tool 721 as authentication ticket 
hysteresis enquiry data 7205 containing a ticket identifier, a server identifier, and the 
count of use. Said ticket issue management tool 721 investigates whether it is in 
agreement with what the count of use taken out from the authentication ticket 
hysteresis enquiry data 7205 remained with the count of effective managed itself, and 
was added to the difference with the count of available one, and, in the case of an 
inequality, returns the notice data 7204 of authentication ticket refusal as notice 
Reject705 of authentication ticket refusal through the 2nd transceiver means 321. In 
addition, when the 2nd license server means 74 receives this, the role as said ticket 
issue management tool 721 with the same renewal management tool of a ticket is 
performed. 

[0169] In the license server means 73, the notice 705 of authentication ticket refusal 
is sent to said renewal management tool 731 of a ticket as notice data 7305 of 
authentication ticket refusal through the 3rd transceiver means 331. Although said 
renewal management tool 731 of a ticket remains in the license collating means 337 
with delivery and a ticket identifier as it is by making the multistage hash value 3306 
into the multistage hash value 5302 and sends the group 5303 of the count of 
available, and a server identifier to the 2nd authentication child addition means 533, if 
the notice data 7305 of authentication ticket refusal are given, it will inhibit these. 
The 2nd random-number generation means 732 is sent to the client means 71 as 
license challenge Challenge703 through the 3rd transceiver means 331 while it will 
newly generate the challenge random number 7306 for data disturbance at random 
and will send it to the 2nd exclusive-OR means 733, if the effective notice 7303 is 
given (ST7303). 

[0170] On the other hand, in the client means 71, it is received by the 1st transceiver 
means 31 1, the challenge random number 7103 is taken out, and the license challenge 
Challenge703 is sent to the 1st exclusive-OR means 712 (ST7104). When the notice 
7101 of use license procedure starting is given, from said secret storage means 316, 
the multistage hash means 317 obtains a hash value 31 13, performs the hash 
operation H of the number of stages which is equivalent to the difference of the 
count 31 12 of effective, and the count 7102 of use at a hash value 31 13, and sends 
the multistage hash value 7104 of a result to the 1st exclusive-OR means 712. When 
the notice 7101 of use license procedure starting is given, the 1st exclusive-OR 
means 712 performs EXCLUSIVE OR operation for every bit between the multistage 
hash value 7104 and the challenge random number 7103, generates the disturbance 
multistage hash value 7105, and sends it to the license server means 73 as license 
challenge response Response704 through the 1st transceiver means 31 1 (ST7105, 
ST7106). As long as it, on the other hand, has tropism, the die length of a result, and 
random nature, since the third person whose hash operation H is insurance enough 
and who does not know Password PW, a random number R0, and a challenge random 
number cannot calculate this disturbance multistage hash value 7105, it is shown that 



it is the valid user which gets to know Password PW by this disturbance multistage 
hash value 7105. Moreover, since many number of stageses of the hash operation H in 
a multistage hash value are performed so that it went back in the past and the 
following multistage hash value is also incalculable from this multistage hash value 
7104, there is also no need for encryption. In addition, generally a hash operation is 
made more nearly high-speed 100 or more times than a code operation, and if it is a 
suitable number of stages, it can process at a high speed rather than the case where 
a code is used. 

[0171] On the other hand, in the license server means 73, it is received by the 3rd 
transceiver means 331, the disturbance multistage hash value 7307 is taken out, and 
the license challenge response Response704 is sent to the 2nd exclusive-OR means 
733 (ST7304). The 2nd exclusive-OR means 733 performs EXCLUSIVE OR operation 
for every bit between the challenge random number 7306 and the disturbance 
multistage hash value 7307, obtains the multistage hash value 7308, and sends it to 
the 3rd hash means 532 (ST7305). The 3rd hash means 532 performs a hash 
operation to the multistage hash value 7308, and sends the secondary multistage 
hash value 5305 of a result to the license collating means 337. The license collating 
means 337 and the 2nd authentication child addition means 533 operate like the case 
of drawing 1 5 and drawing 16 , and send the authentication ticket data 5308 to the 
client means 71 as an authentication ticket Ticket501 through the 3rd transceiver 
means 331. However, it is not this limitation, when it remains with the multistage hash 
value 5302 and a ticket identifier by reception of the notice Reject705 of 
authentication ticket refusal and supply of the group 5303 of the count of available 
and a server identifier is inhibited (ST7306, ST7307). 

[0172] On the other hand, in the client means 71, it is received by the 1st transceiver 
means 311, and as authentication ticket data 5101, the authentication ticket 
Ticket501 is sent to said ticket maintenance management tool 71 1, is held (ST7107, 
ST7108), and is used in a next use license procedure. 

[01 73] Since, as for a decrease, the number of stages goes every [ 1 ] for every use 
license in the disturbance multistage hash value by which the authentication ticket 
305 sent to the license server means 73 from the client means 71 by this is 
accompanied, with the license server means 73, the response time can be shortened 
that what is necessary is just to perform one step of hash operation. Moreover, since 
a time stump is updated, it can set to the shortness of extent which can cover 
spacing of access to an expiration date, for example, 1 hour, and user convenience 
can raise safety, without making it fall. Without revealing Password PW to a third 
person including the license server means 73 and 74, using the higher authentication 
ticket 305 of safety, to n times, the client means 71 can obtain use license in the 
shorter response time, is available in common at two or more license servers, and can 
decentralize the traffic of check processing by this approach. [ of that authentication 
ticket ] 



[01 74] In addition, although considered as the configuration which calculates a 
multistage hash value in the client means 71 at every use license procedure in the 
above explanation, it is good also as a configuration which carries out precomputation 
of the multistage hash value of all number of stageses at the time of acquisition of an 
authentication ticket, and is memorized for the secret storage means 316. In that 
case, the processing time for every use license procedure of what needs to use the 
mass Tampa-proof nature memory device as a secret storage means 316 can be 
shortened more. 

[0175] Thus, distributed management of the use of an authentication ticket can be 
carried out by constituting an authentication system like this operation gestalt under 
the method with which an authentication ticket is updated. Therefore, one 
management resource can be lessened more. 
[0176] 

[Effect of the Invention] In this invention, the authentication approach of a single 
sign-on mold and authentication system which cannot need cipher processing in a 
client side, but can manage the use count of an authentication ticket easily, and can 
eliminate [ 1st ] duplex use are obtained so that clearly from the above explanation. 
[0177] The authentication approach of a single sign-on mold and authentication 
system which can communalize data processing of authentication presentation 
information and data processing of presentation information in not needing cipher 
processing in a client side for the 2nd in a user authentication procedure are obtained. 
[0178] In what generates collating information to the 3rd by making into confidential 
information the random number for authentication which the client means generated, 
since the collating information which an authentication ticket includes becomes 
unrelated to user authentication information, even possibility that user authentication 
information will be guessed from an authentication ticket cannot be found, and the 
authentication approach of a single sign-on mold with more high safety and an 
authentication system are obtained. 

[0179] By 4th on the other hand performing the irreversible operation of confidential 
information by the tropism hash operation, even if a client side is low equipment of 
computation capacity, the authentication approach of a single sign-on mold and 
authentication system which can perform use license processing by the practical 
processing time are obtained. 

[0180] Since it is updated by the 5th in that by which a license server means updates 
the collating information on an authentication ticket etc. whenever an authentication 
ticket uses it, and especially a time stump is updated and the expiration date in an 
effective judging can be set up shorter, possibility of the unauthorized use by the 
third person can be made smaller, and the authentication approach of the single sign- 
on mold which can shorten the response time of use license further, and an 
authentication system are obtained. 

[0181] In what formed the authentication ticket management tool which manages the 



use count of an authentication ticket in the 6th, in the system by which an 
authentication ticket is not updated, since it becomes possible to use an 
authentication ticket in common to two or more license servers, the authentication 
approach of a single sign-on mold with more high convenience and an authentication 
system are obtained. 

[0182] In that an authentication server means and a license server means remember 
the issue hysteresis of an authentication ticket to be, in the system by which an 
authentication ticket is updated, since the distributed management of the use of an 
authentication ticket can be carried out, the authentication approach of a single sign- 
on mold and authentication system which can lessen one management resource more 
are obtained by the 7th. 
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[Brief Description of the Drawings] 

[Drawing 1] The conceptual diagram showing the outline of the authentication system 
in the gestalt of operation of the 1st of this invention, 

[Drawing 2] The conceptual diagram showing the outline of the authentication system 
in the gestalt of operation of the 2nd of this invention, 

[Drawing 3] The conceptual diagram showing the outline of the authentication system 
in the gestalt of operation of the 3rd of this invention, 

[Drawing 4] The protocol sequence diagram of the authentication system in the 
gestalt of operation of the 4th of this invention, 

[Drawing 5] The functional block diagram of the authentication system in the gestalt 
of operation of the 4th of this invention, 

[Drawing 6] The flow Fig. showing actuation of the authentication system in the 
gestalt of operation of the 4th of this invention, 

[Drawing 7] The detailed functional block diagram of the authentication child addition 
means at the time of using a message authorization code in the authentication 
system in the gestalt of operation of the 4th of this invention, 
[Drawing 8] The detailed functional block diagram of the authentication child 
verification means at the time of using a message authorization code in the 
authentication system in the gestalt of operation of the 4th of this invention, 
[Drawing 9] The detailed functional blocK diagram of the authentication child addition 
means at the time of using a digital signature in the authentication system in the 
gestalt of operation of the 4th of this invention, 

[Drawing 10] The detailed functional block diagram of the authentication child 
verification means at the time of using a digital signature in the authentication system 



in the gestalt of operation of the 4th of this invention, 

[Drawing 1 1] The protocol sequence diagram of the authentication system in the 
gestalt of operation of the 5th of this invention, 

[Drawing 12] The functional block diagram of the authentication system in the gestalt . 
of operation of the 5th of this invention, 

[Drawing 1 3] The flow Fig. showing actuation of the authentication system in the 
gestalt of operation of the 5th of this invention, 

[Drawing 14] The protocol sequence diagram of the authentication system in the 
gestalt of operation of the 6th of this invention, 

[Drawing 15] The functional block diagram of the authentication system in the gestalt 
of operation of the 6th of this invention, 

[Drawing 16] The flow Fig. showing actuation of the authentication system in the 
gestalt of operation of the 6th of this invention, 

[Drawing 1 7] The protocol sequence diagram of the authentication system in the 
gestalt of operation of the 7th of this invention, 

[Drawing 18] The functional block diagram of the authentication system in the gestalt 
of operation of the 7th of this invention, 

[Drawing 1 9] The flow Fig. showing actuation of the authentication system in the 
gestalt of operation of the 7th of this invention, 

[Drawing 20] The protocol sequence diagram of the authentication system in the 
gestalt of operation of the 8th of this invention, 

[Drawing 21] The functional block diagram of the authentication system in the gestalt 
of operation of the 8th of this invention, 

[Drawing 22] The flow Fig. showing actuation of the authentication system in the 
gestalt of operation of the 8th of this invention, 

[Drawing 23] The conceptual diagram showing the outline of the conventional 
authentication approach, 

[Drawing 24] The protocol sequence diagram of the conventional authentication 
approach, 

[Drawing 25] The functional block diagram of the conventional authentication 
approach, 

[Drawing 26] It is the flow Fig. showing actuation of the conventional authentication 
approach. 

[Description of Notations] 

1, 11,21,31,41,51,61,71,81 Client means 

2, 12, 22, 32, 42, 62, 72, 82 Authentication server means 

3, 33, 53, 63, 73, 83 License server means 

4, 14, 24 Confidential information 
5 7,803,805 Authentication ticket 
6,804 Presentation information 
8,806 Notice of license 



13 23,801 Authentication presentation information 
64 Authentication Ticket Management Tool 
74 2nd License Server Means 

31 1 1st Transceiver Means 

312 811 Input means 

313 Hash Means 

314 Ticket Maintenance Means 

316 Secret Storage Means 

317 Multistage Hash Means 

321 2nd Transceiver Means 

322 Authentication — Time Check — Means 

323 Authentication Information Storage Means 

324 Random-Number Generation Means 

325 2nd Multistage Hash Means 

326 Authentication Collating Means 

327 Ticket Identifier Generation Means 

328 Authentication Child Addition Means 
328A SelfHdentifier storage means 
328B Data connection means 

328C Connection data hash means 

328D Server common key storage means 

328E Common key system cryptographer stage 

328F Authentication child connection means 

328G Self-private key storage means 

328H Public key system cryptographer stage 

331 3rd Transceiver Means 

332 License — Time Check — Means 

333 Authentication Child Verification Means 
333A Authentication child separation means 
333B The 2nd connection data hash means 
333C The 2nd server common key storage means 
333D The 2nd common key system cryptographer stage 
333E Data separation means 

333F Publisher identifier collating means 
333G Comparison means 
333H Server public key are recording means 
333J Public key system decode means 

334 832 Ticket effective judging means 

335 531 Ticket use management tool 

336 3rd Multistage Hash Means 

337 License Collating Means 



411 Random-Number Generation Means for Authentication 
412, 612, 712 1st exclusive-OR means 

421 2nd Hash Means 

422 2nd Exclusive-OR Means 

423 2nd Multistage Hash Means 
51 1 Ticket Maintenance Means 

532 3rd Hash Means 

533 2nd Authentication Child Addition Means 
611 711 Ticket maintenance management tool 
621 Ticket Registration Directions Means 

631 Renewal Directions Means of Ticket 

632 2nd Random-Number Generation Means 

633 733 2nd exclusive-OR means 
721 Ticket Issue Management Tool 

731 Renewal Management Tool of Ticket 

732 2nd Random-Number Generation Means 

812 Session Key Decode Means 

813 Certification — Time Check — Means 

814 Certification Information Cryptographer Stage 

821 Session Key Generation Means 

822 Session Key Cryptographer Stage 

823 Ticket Cryptographer Stage 
831 Ticket Decode Means 

833 Certification Information Decode Means 

834 Certification Information Effective Judging Means 

835 License Collating Means 



(19>B*WMOT (JP) (12) ffl j£p ^ ^ (A) (ll)*lFtfM&H** 

#132000 -222360 
(P2000 - 222360 A) 
(43)&MB ¥*£12^8 £11B (2000.8. 11) 



ttffJiH^ F I f-?3-r(£#) 

3 3 0 G 0 6 F 15/00 330B 5B017 

3 2 0 12/14 320C 5B058 

3 5 4 13/00 354Z 5B085 

G 0 6 K 17/00 T 5 B 0 8 9 

H 0 4 L 9/00 675A 5J104 
*2ESt2fc «tt it#SI(B3c29 OL (£ 48 H) 



<21)tfj§|## 


1-24446 


(71)fflKA 


000005821 










(22)tb«B 


¥dcll*p2B 1 0(1999.2.1) 










(72)#W# 


mm mm 








AElSRSCrPA^Pmi006#a «T«i§ 














(72)f89§# 










ARJftPWrfjA^RlOO&Sife 














(74)ttJSA 


100099254 



















(54) HmiogfM &uis*T2*Rzmmm7ti>f5Ammmft 



(51) IntCl. 7 
G 0 6 F 15/00 
12/14 
13/00 

G06K 17/00 
H 0 4 L 9/32 



(57) BSKl] 

be*** h&&«ic* msm a 4 ic* qraam f « n - 




(2) 



¥fM2 000-222360 



[BBBBOBH] 

<!:. BEf^-y h©fgffl£B^T£B^-/\*#a<!:, 
BIBBE*- /<#BteBK**v hfcBBU BEBrI 

?V h#!8<fc£<lx.;5BE->3.5 i /»Kfc^7\ 
BBDMbtfn (nlijEBB) ?$5BHf^-> h*«J# 

Cft£§ttTBE*^7 , >H#glC«;*1fB£B 
3? LBEBE*^ y h tBB6 LTfOT£B5J-r *BB7+f 
-/t^B£«JlfiiU BEBB^-y Mi* *<5r-y hB 

^*tlTfi»J» tifBB&fllBtts BEBB9- 

BE*7-rr> h#is^#M«r«»eiiratcmso97 

B7£;ll»£n|H]BLfct<DZ 5 35'J\ BEBE*$-.y M*> 
teJSEJBtfk (kttnWT©IEfiK) T'&ZtZOmsZ 
HSMIMtt, MEVV1ira(CflEffiS«>TB£flB« n 

-kBMLfcfc©T»*C£*WBfcT*BB5'X7 l 
A, 

[B3»S 2] BEBE+f- /\-#MSri\ n-tfBE«8 
SHL. BE*5-r7*V h#B£<DIHT:i— «fBE# 
MI*BI5LTBEBE*$-y h*Bfr*-*Ci:*»«£ 
-T*B*JS 1 KEtOHIi/7f i». 

[BBB3] BEBE+f— M#Btf. a-+fBE#«S 

#B(cBBBoMff««KtL. BEfeffilitBtt, BEi 
— »fBE1t B <t Bf BiLSSt £ ommiz BEBtB©* BBB 
»* 1 EJM±BLfc*.©7?*»J. BEBBB^BBtt. 
BBBBBBlcBEmB07BBBB«' n SB Lf=t»(D 
T'fc* C &«Wtt&r ZftXm 2 IcEiBOBEfXT 1 
A. 

[B98H4] BEBfi-y— /^Btf. a— ?BE#IHI 

IcBB£ct1W&«B£U .BEBEg^BBtfs BEa 
— «f BEBBBCfBB&ft^ aSBfcBISfiBOTBB 
;SB£ 1 H*LL*Lfcfc©iMie*5-r7*> h^B^S 
BL^BEBaJk&OSHBBimiBBBBTBU. 15 
EBBBBtf, BEBBBaM«BA'6BB$n«BEB 

sifflftar-ss c t *B»t r *b*b 2 (cebobe 

[BsJtfSS] IJE2- tfBEBBtf. a— VCCfcyA 
***i*/<^'7- KT**C£*BB&T*B»*2# 

[«5R3S6] BEa— «fBE1fB#. iteERlcGSft* 

nyfc#6i«*aBM«TBa c <t *»ss t r «bbb 2 

#6 4©^rtl6HcE»©SH->^?Zx. 

* 5 c <t *<®m t r 5 b* js 1 a* e 6 <3D f-rnasc eb 

©BE->Xx.k. 
[BBB8] BEBE-?6\ TH^/W^&T-asSCi: 



*BBi-r*B*B 1 6 X 6 6<0^-Tti*ScEB©BEv' 

[B5RJS9] BEmB<D^miS!BS6\ —»Btt/\"y 
->aBST»«C t*BB<tr«B*B 1 #6 805^1* 
JiaSCEttOBEfX^Z*. 

(B*JS 1 0 ] BEBE** -y h i)\ V-t Sffiftltt 
BfcC t *BBiT *BBB 1 frS 9 ei^ftuMcBB 

[BBB11] IIEK74"yhft WrBOttti 
C£:«!|#liS<h 1 fr£ 1 OcDi^-r+uWcEKdD 

BES/X^A. 

[B*JS 1 2 ] BEBE^y y h h\ BftBKH?* 
B*. BEBpT+f— /WBtf, WBBBT* 
EBEffrv hOB4nra&«BBft&£ftB«&B?T 
#BM*fcBE*£*BBU BEBBftBft BIBB 
B1f BlcBERffBOJFRTfflBB* n-k 0BLfct>Olc 
EB*tU BEW5»lHlB#in-klcHlfr**ii>Ci:S-^ 
«tr*BBBl 1 lCEKOKE->Xr-A„ 

[BBB13] BEBB9— /t#tttf. BEBE*$- 
•y horajSiaaS-'gJlLTfc'A Ctl^LTB^BB 
*BBr*Ct«B«tr*BBB1 1 2 0l^r*i 
JbScEBOBEi/XxA. 

[B5RS 1 4 ] BE^ 5 -T T 7 v h #IS6\ BEBE7- 
^•y hOBBSB«BBLT*>»J. BEBE^^-y hi 

BBBT^SI 2<D^-rnAHcEB<DBE->7.7 1 /»„ 
[BBB15] BBOBEBB^-/^«t. BEB 

&BBATBV. BE^5-r7 , Vh#Bli. BEBE7- 
^"•y h©BBB»£B«LTfcy> BEBE^-yht 
<k i feU:c:*i*^LT!WBBRl**»«t,©X > *y. BE 
■W-/WB*, BEBE^-y H«BfrT*tt<. 
icBEBE^^-'y h^S^lftlcBEBE^'Ir-y h<D5g^ 
MB£Jg^U BEBqJ-y— /«#B(i % BEBE^^-y 
h©B^«SttTBEBE^^-y hBS#SlcBEKE 
h«DHSM3Jr«*g^L. BEBE^-ir-y KBS# 
Set fJ§<Sa53]£gttfc^£lc(i#JfflBRlL%t - »C£:£ 
^ai:T5B?R^ 1 * X S 1 1 <Dt^-rti*ScEK<DBE-> 

[If 3!S16] BESrI^- /^B«BB«%. BE 

SLT*5U> BEBEf^-y hti'ttcciti^LTifU 
fflBpT^^St^TSU, BEBE-y--/^#|ft«, B 
EBE^^-y bl&Wii?* tt tic $e*TBB£E«U 
BEBB-9-- /^Stt, BEBE^-!r-y h-«M«f-T5i: 
<tt.lc^»rBS^EtiLv BEBE^-ir-y h<D^^S 
W-TBIBBE^-ir >y h ©S^BSU^Av^f BIBBED 
-/^#ISSrc«BEBRlt»— /^SlcBEBE^-T-'y h 
0®ffi*^#L. BEBE-9— /\*fSSft«»HeSW 
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[n^i 7] MiBigpr-y— mmm^m 

%t<OT*»U. B3IBKIi^^-y h<ZM£fll@Stf kT'** 

•ss* n - k ®mLtc&<Dtwm%L&.t<D#mtfi>niwiQ 
u^nancfBtBcDggfiEs/XT^o 

m 1 8 ] Vm** "J h «^Tf 3BE17- / 
St. BE^-y h<Df'Jffi£BRT-rSBRl+>--M#8i 
<t. fuf3BE+>— /^KlcBE^-T-y h*g*U tNB 

i&iV7 3<<-ry\-*m\ i.-*fm&ti.-*fi&®.m 

ifT«J#U MsBsSp!**— /^SlcS^r^^^-y US 

ftltS^^fTSQS^jgtR-rSteSS^Ifttv ii5fBA2J 
#®<fc ya— yBEtt ?B£if £<UcfuiBBEt>— /t 

#a«fe yta.a*^Ts c*i6<Dj»sic/vy->a-;it»£-&s 

f / \ >y -> a > 1513/ \ >y -> a <fc y if fc/ \ y a. 
ffl*ttBKlcH3tt-r*«ffi>BS#ai:» i?yfB£SS?I3tI# 

S J: y / \ v -> afilfcist y tULT» i— vramcs^ 

TttttlBA*#WJ:y*»IB]«n (nttjESK) *« 
T> n SO/ \ «y -> a 5tg£J6 LTif fc^lft/ \ -y -> a ffi* 
S3S3KE?— / WBtcat y s C OTB^WIte fcl/'TttSI 
IBSBRl-y— A^ScfcyfUfflSSJtk (kl*nJ.XT<DIE& 

a) £ifT\ n-k&m/\yi/i.mmitmLzmrc&m 
mz&zsL&£m&®£. Bui3isiiEi«$as«i#sj:yif 

fca-+f BfElf « i: B513a.S£Jff UfciLiSi: 
(OMfflC n + 1 SCO/ \ -y -> a SWfcfrfc -5 81 2 <3£S/ \ 
7v-ifat« huIB^^'TT'V h&8t&*mrc$W\'y 
-> a 1i«l3I3m 2 \ -y -> a ^KT-if fc£lft/ \ -y -> 
a1I£Ha£-r*BE!«!£#&is hMS'J? 

^fiE#S<fcy»fc^^-y fSS3BEf!a^«<fc 
yiffc£K/Vy->affi, MgB^^'TT'V h#8<fcy if fc 
V-i SISSU^RU^S&laJSt B3i3l8Eft8##ia<fc »J if ft 

mmmnm-3<*<( aa*>7. mnzmsv-iw 
^m-m^mmi-comm^m.^nmi^ be* 

mam- / <#i&6\ S5i 3^ -5 -r z > h <t y 

BE^-Vy h©BE*-£#E-r*BE?fcE#fft<!:x Bt 



S'j*ti-ii#L^siJifa*ai^-r^Kpin-B$#e<bs 
ias«j?<DSii4R0 : *'r aa* >yitui3BpiftB##ig: 

«fc y»fcB#aH«£(DM<D^SM4£?x >y 
h^JdW^Six Wm->T"J Y<T>=f-'rv usse^fj 

m^miLwmm^mmLt zmmrz^'y \-mmm 

mz. m&<7 3 << T > h §MB £ y ?#fc^©/ \ y -> a filic 
k S©/ \ >y -> a >8fl*fi& LTltfc = \ -y -> a filfc 
tti7J-r«S3©^lftAy->a#l9:i:> 1313^^-y h*«Jffl 

la^s* y rc^s/ \ -y -> a a t rnies 3 o&m \ >y 

•> a J: y Iffc -A&W \ >y -> a filt ^^-T SISrI 

fkts §SISU?=&i31fr*SSESy?i31S#Si:> *>r-y 
t-y- /^g'J?<!:MI3SaES'J?l3ti#S<fcyt#/-c^?T# 

#s j: y ^#f^:il^g7 ^ - * k/ \ •> -> a sswfcs&ir aiiSx- 

4»/\-y ->a#®£. luS3-y-/\"ttii^I3^S<fc y if 

xmuttm*m*m^T MiBa^x- ^ / \ -y -> a#is 
* y mtu \ >y -> afit$Bf#fb ltke? t tzxmmfi 
5CBt##iftt, tuiBx— Sfa^s-fcyiffe's^x— * 
£Mi3tt>i&£itBg9#!ftJ: ytf/cBE^-i^a^-r^ 

^^••y h^a^x— J'.tBE^.klcttgSfSBE^BS 
!3IBBE?»Si#ia<fc y iffciSSx— 5> *=f->r 

•y hmfrt$$suvyi'D.mtmv}®mt9'fL.xz> 

m^m£. a513BE?»8t#K<fc V mtzmi&T-flz/ \ 
•yv-ajS^SS-rS20aS5 J — S»/\-y->a#|fti:, 19 

ibs 2 <w-/ Wii@i3«#ia«t y ?t fcttiis^s;^ 

@*ffll^T83I3m 2 (Dmmr—5'/\ -y -> a y 
/ \ y ->afit«Bi^b LTitKfflBE^^-r *S 2 ©ttil 
a* jCBi^St ^ lulBx- * J: »J if tcWfrm 

«ffl?<«Wb«:*-/«»J?T** Ci^fi -y ^"T« 
^if#StS'J?5H^#S<i:> But3^ir#3IS'J^ra^#e<J: 

yiffcis^ies^ffjai^^-r^tcBOiBBE^gi^ia: 

<fc y ?f fcBE^i sulBm 2 ©«iiSl^iCBi##lft J: »J tf 

zm&mi a (ci3®£oigE-> 

[W^2 0] Su83BE?<«KlD#lft*\ BE-y-/^ 
•y haES'J?<!:^IS:/\>y->a<ai:W«]Isiai:^-i'A7.^> 

ytv-j mftfrt. tijiB g bbuti Btt#s <fc y if fc^s 
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*s#!8 «t y ?#f=a^x- $ ic/ \ -y -> igssssTssss^ 

-?/\r>2fSt > s5E g f&SSIEIf <t 'J if fcii 
SBa^iCBi^ffia^ffl l^T 631 Eiil*£ x — Sf / \ y ~> a # 

is <t y ?# f=/ \ > z/i.m*m^it ltbe^ r 

^5CBi^#lfti:, iuE^'— S'iHg^K.fcyiffdiiiS^- 

BulB121iE?«iiE#lft6\ BE^-y KS-jHg^— Jtifg 
SE^ttc^liir^KlI^^St^Si. i3EBE?-#«# 
&<fc y?ffe5»ST f -^*^<r>> hiSSe^S;/ vy ->a 

fit wjanuat ? -< yytn-i wjfisfft 

SS'J^itc^lSILai^-r*^— b5EBE 
^#81^16 <fc »J WteMBx-r 5* IC/ vy -> a -sniffing 

^iCBi^sBSi^SiffiTrntijfeT 1 — s»»si#iftj: y» *t 

ZV-/<teMmm%t^8tt. B5Etf-K2llB8l#f9#K 
<fc y» fc^Ba&^Bg^fclJIglfcffl^TByEBE^St 

#s<fc y if fcBE^it^ uukb/ \ ? -> 3.mt t z& 
wm&swm^fstts mesKmr—. s»/vy->a#fa<fcy 

if fc/ \ -y -> a<I£: Bui3iilia3?iC^##a J: »J if /cttR 
ffl/ \ -y -> a mt Zt)M LT&5i&fttrtZit&¥&£ £ 

iiiir*c t^tat-r *if*jgi 8(ciBe©KEv-x 

[ii*JS2 1 ] S31B* 5-T7'> h#«ft*.\ BESU&£ 
B2¥l6<!:mi08fftee<)SSS»#Si^S«iL, B5EBE 
ffiaHiSlim a— yBE^IffilCfcCTBEBftK 

^^fiKL, «nsK i ammmm^iui. a— *be 

#IHlcteo>TtuIBKiifflSLSfc^fi!6#S<fc y if fcBEfflSL 
SuE/ \ y -> a J: y if td \ -y -> ail,!: tommttk 

mmmm^fjii o /cm/ \ -y -> affi^taEBE-y— 

/^SlcJSSyv ME«ffiEtt#fM*. f5EBEfflSl»£ 
Bg#S«fe y if fc&EffliLSS-feffiKKEIS L, buIB^S 
A-y->a#8tt, f3Ei»®Etl#l8:<J: yBEfflftSfclR 
y ft LT. WfflBWIillcfcL^TtJIBBRl-y— /^S«fe 
yf'Jfl§ls]»k*ifT, n- kS©A7 ->a-»g«JSLT 
if fc^lft/ \ y -> afiM^BuiBBpT-y— / *#Klc& y s 
buE&E+J— / gut 3BfiEPS^#ISlc«to y m 2 
<Oi \ -y -> a ^S&tfSg 2 <D8ffteWSSS«l#S^a<@ L, 
BuESg 2 £>/ \ y a #f9«, MIBlSliEtf $B#W#a<fc U 
#/ca-+f t BliE1f$8ifijI3iL»ifeE)6#eT'±fiELfciLI» 
£ OgJSgtc/ \ -y -> a3»S*« L„ SuES! 2 OgMfeftBS 
«J#I8«. Ms BM 2<0/\7-yifS«t: y if ft:/ \ -y -> a il 
.h 1513 -7^7* V yWfett2L/vy->afl&0>tt 
itettitsajltlffcfT&oTBEffl&S^lBif U fuElf! 
2 <D*S/ \ y •> a buIB^ 2 rofiffSWISS*D#IS 
<fc 'J if fcBEfSiLi&U: n WlOi \ y -> a aW*fr*t\ S9 
EBCE?#ttl#»». t3i3^'7--y hSg'J^fi)t#a<t U 
ifrc^-r-y h^|g'J-?s Bui3^2CD*|ft/\-yv'a.#iaJ:y 



-/\*»J : 3 :: ■su : W5^(J[HJa^ fui3BijEif^#ift e t y?f f=B§ 
zmTWtTmmi&vmmizimttttM u be^ 

•y hiLTtfTI3^^<7 T >h#lftlc^^;it^«S<fr 

[11*^ 2 2 ] MCOWf- / ^#I9;6\ S5I3M 3 
\ -y -> i ^aicftt) y m 3 £0/ \ y -> a ^ISSlf^ 2 O 
BE^JD^S^aWL. BuI3S3<73/\-y->a#|ft« N 
WE* -5 v h y m&mi \ y -> a^Stc/ \ -y -> 
a 5S*^J8 LTif tc —A&W \ -y -> =l m*ftti L, buIB 

BRTKa^ai*, mttt*-y \~mmwm¥&*vmc$ 

®Ll \ >y -> a <1 i: S5 IBS 3 (DM y -> a y if fc ~ 
tt> B3IB^*-y hf'Jffi'gS#l9:J:yif/c^'7--y hiSS'J 

?s -y— /^su^so^iy^jffliaa, B5i3*7<7 T vh 
#s<t y if fc^K/ \ -y -> affi, mRBsmm*»* y if 

/c^SiJ1tl8tcSr5< ^-fAX* y^ Mt/lcBoT-y--/\* 
#S*^-r^iT#lffigiJ^cOMSlcBliE^^^DL, BE 
**-y h<!:LTsuiB*7-r/'VI>#aiciS^C<t:^ia 
tr^li^JII 8*^6 2 1 <0^-rti6^c|BeOBE->X 

IB*^2 3] 1 -PU±<OBoT-y--/\*#fS<i:x BE5 1 
*-y KDftiTSt/fiJfflfjS^ta-rSBE^y'y hgS 
^St^SiSLs BM3BE^*-y hgS#S6\ MI3B 

E-y- / \"#is<t y if /=BE^* v h 5iiTii«sji^* 1 1 
tc^-T-'y hssu^t^jajisiai^yifjffiiHiatojs^i 

ILT, B5I3B5I^-/^l3<t:y?f/j:BE^*'y has 
^IfrJi^irOS^tt^^i -y * U TS^Oig^tcttilu 
IBBpT**— /^StcBE9 : '7--y h*gt6ii5EP*iSy, 
SuEBE-y— ^*-y h^«iJg^#lft«-a«S 

*fiE#lft^ yif fc^-y h«S«J?i«3E*7-r7'V h# 
y if /c+^-/ N'iSS'J-fStfWSdlsia.!: 6^BE^* -y 
H56irSliJi^^^fi)6LTBuEBE^'7--y h1S#lftlc 

b5E*-5'T7 t V h#IS6\ s5E^* y hfitf^fSKftfo 

^S«SL. BiJE^*-y h«*#<gil#iaii. MEBE+t- 
A-#a*yBEf : '7--y h^ifTSM-r^ttt.lcftJffllsl 
»5flL7> ISJaBRltJ— /\*#lftlc-t*l6^^L. 
SUE^S/ \ -y -> a ^Ifttt. HiTEWffiElf J: « / \ y -> 
afil^lX y tij LT, a— yBE^IlIlcfct^Ttt n ®(7)/\ 
■y -> a 3?K^SS LTif fc£g/ \ -y -> a ffl*B?IBBE-y— 
/\"#®(c2Sy, fUfflBRJ#ll@^cfcl^T^*BlJE^'7••y h« 
#©S#ISJ:yif fc^JffllHiak^ifT, n - kS09/\7 
-> a Sm^SS LTif /c*IS/ \ "J > affl^MES 1 <DflfftS 
«SSS«l#fftlcj|S y . b9ES 1 <D8K6tf]SB3I*]#faW\ 
tuE^S/ \ -y -> a #® «t y if fc^©/ \ >y -> affii: taiBIS 
rJ+^-z n'¥I9: J: y if /ciLiai: 08ffftWSiSfQ3IR^iT^ 
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■3 TimmomSi&m \ -y -> a fit^Bu taBpj-y-./ \*#ia:ic 
bmmmTji^t. & 2 mi 

mi&zizfv- tsmff-tma*?*? > \~&m£ y if 

ic uia ? ^ -f t 7 > h ^ift<fc y iifcjpjfflisia k t bibbee 
?«hi#I9: * y ntz&m \ >> -> a mt *mt) u surem 
2©sL«^i5E#ia:«. fLm^mLrmm^^-<T> \- 
^m&zfm2m2<ot)mtfiit&m%i¥mcmv. Mian 2 
emwmm&mtt* luiam 2 <o&s£fijc#a«i: y if 
/t&s t bjib * 5 -r t v h <t y if /cm*®/ \ -y -> 

a fig £ <Dflf1tfi6<)liSjK]-3l»^^'S: o T 3>W \ y > a fig£ 

f&tmmf^fsta y mrc&&j \ v -> a fine k a©/ \ -y -> 

a 3tg£BS LTmtc- 'Jji&m \ -y -> a fiiStti*! u 

bebe*-** h ttEBE-y— y^#»*y 

SftBK^y miTHSSJi^ti: K^>r-y hH9J? 

ii^saisiai^yfijffliHiSfiiDSi^'gsL, gnaBpi-y 
-i^n.avmjm.i-'r-j bm.mm.%^mt<n^^. 
1 -y *? u TSi^©«^ic«Buiaigpi-y'-/ 

8frS 2 1 GJ^-rtl6SCiae©BgiiE->7.7 i ^„ 

[b*ji 2 4 ] sgpj-y-/ i ow±a<s u su 
ebeu— *$--y b^nmrn^m^mmu 

y if /£•*-/ mft&jsizfmyjm&t u bebrt 

y»fc**v h*JJBfS&«t> -hlc^y h 
ISSU^^SIsg LT*'JffliH]«©SS£14£* a •> ? U *8£ 
#0«|#lCttH3iBiSpI+»—/ t^ttlcBE?*- -y h£fej| 

£MfiIU Bufa^^-y h«Jf^S#Sli. huEEE^- 

/ \*#a«fc y Kti^y -y h £ if r«#-r * 1 1 wzmm® 
&*wmLT. HuiafSBite- /^bhcmissesru 

Suia^lft/ \ -y v- a SMSli. HuEit8&E11#&«J: U / \ y -> 
afiJ£5X »J tii LT, n— tfBE^«llc*>t>T« n \ 
•y -> a JSgfcBS LTif f=$.gy \ -y > afilfcBEBliE-y- 
M#f8lc2Sy, fiJfflggor#)iSlc*Jt^TliHuIB^'ir y h« 

n^m^m a y jt/cf ij^sa k *m t. n - k s<d/ \ -y 

-> ;H® ^fiS LTWfc^S/ \ -y -> a fil^ sOIBm 1 ©flMfe 

Wiss«i#aitsiy, mum i oflf«wi<ss«3#iati. 

Suf B^®/ \ -y -> a ^iSJ: y if fc^fft/ \ >y -> a fi^ 831318 



Rl^-/\"#lftcfcym/i:a,»i:©Sfte6<)^ajB]ijlS^^Ja: 

zm&<omwL$ w \ -y -> a fit* swaB^r*- / 
«y. 

BuIBBpI-y-/^&)b\ Buia^^r-y hfJ^WS^Slcft 
fci.^-y-y h^»rgS#lft<!:, B 2 <Dfl,S*£fi£#!8&tf 
m2^Sf«6<iaSS*a#l9:i:^fiSL. fijia^^-y hg»r 

mti<m$]%ifit Ji^JCB5iaBIiE?SliE#S«t y if fc^>r 
•y hg|gU ; ?SO : +*—/\"l5SiJ : ?i:Huia^ ^-TT'V h#»<fc 
ytffcfiJffl[slSt«!:^6^^-y hfiJSHd«^BU 

#ai8u^-A' ; 5 : ;-rHuiaiSiiE^-/\'#ifi$fctim 2 <dbpt+>- 

-/ f^lftic^ LTiS y s SuiaBSE+t-/ \"#SSfcttB3iB 
m 2 WISnT-y-/ ^Iftj: y|iggE^>r-> hJBSfeiifl]#!jg^ 

^A^fdi^ic. Bu§a^'7-r7 T > h#s«fcyff^jffi 
ma t B3ieBiiE?«iiiE#ift<fc y m tc*®i \-y -> afit * 

&vwmEm*wmLz. Buiem20DBpi-y-M-#a«t 
y ^-y \*mmm&zs:ifrcm£izmm\s\&<D&£iiz 

^x-y^U ^S^©^lc«Miem2<7>BRl+>— /\"# 
SlcBSE^'T-y h*§$&jl*0£iMy> miZm 2 (O%L&±0SL 

&&££B£LTBufa*5<:Pvh#extfiiijfa 

S2©S^WSSS»#l9:tCSy> BufBM2iDSffSfi<lSilS 

luia^ 2 ©aa*fi£#s«t y if fciSLa t be 
^ 5 -r 7 > t- #16* y it tc.m&3>m> \ -y -> afitt ^tfts 

Wi«a«]ja»*iT%oT*l8y \-y ->afil«-l!lif L, sdia 
S2©/\7y2fS(i, BtiaM2cD8^WSSS«l#SJ: 
»J if t&mi \ -y -> a fiitc/ \ -y -> a 5H»«Jg LTif tc -A 
&W\"J ->afi!5-ilJ^ U Huiem 2 CDBSE^SD^Ift 
ti. B3ie^>r-y MUl#8:<t: yif fc^-y hffigy^ -y 

-/ WBfrnxm y Buiam 2 (o^m^mm 
y if /c^Ky \ -y -> a fir Suiais rii+b##s <fc y if 

^S^^Tfgi^liS'J^roSiStcBil^^Wfia Lv BSE 
^•y h<hLTBuia'>7-i'7 T Vh#S;tciS^C<i:^!a 
<!:-r*il^2 2lClBK01SIiE->X^A 0 
[ff*JS2 5] BiiE^^-y>^iT-r5BliE-y— 
Ifttx BffiE-^y-y hWfUffl^BoI-rSBRl'y— 
t. liJEBEtt- /^IftlcBSE^^-y h^g?RL, MiB 
iSpj+^-/^|g-tcS8liE^>r.y hofUfflBRl^S^-r-S'J' 

BfiE-y- /^S6^^5<7'VH#Sl!:. Kli-y-/ \*# 

WJaisJSaA^nT'^^BH^^-y h«5li7L.x ^^-fT> 

w^Bor«3?«>. b Ri-y- / \"#ecois^m«<DS*tc « 

LT> ^^-f/'Vh^lftl*, SufBBEE^^-y hWfiEffllal 
Sfetfk (kttnUTOIE^SR) TS-Si:*. BIBIiSKti 

f8ictuiBm^©^pij£jsw« n - k lasfiufcjasies^ 
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m t BuSBsasti is t <z>-&*mmT % c t zftmt r s 

h#S«. iuISfSE^'y h^S85r+t-/\"#lftlc^LT 

L7\ ^-TT'Vr-^jaWu BuiBISSE^^-y hO^fflS 
Stfk (k(inWT©iES») fIGWSIt 
SBKjtflfam^tD^pTjSjftgS- n - k SSSLfdStgiigJilfc 
HuiB^lfffiiLT^L, I25J-9— huIBJI 

si£imme:mm£<z>-&*mi}?z££ i t>iz. ma* 
feoj*?immm* n-k iiiffiLfdstmsfiiKMST-r* c 

[11*^2 7] fulElSE+*— M^Stf. h 

^-sjR-r^o^'TT'v b^mzsin^Lxmimmm 

fB^S^U •>5-f7'>h#e(*, a.— •fiSEIf&tBy 
IBiLa<!:©ilieitHi5iBRffS(75^pIi£jSS«n + 1 0SSL 
/•c>f|g^«B5fBii8BEffi^1fa}«!:LTSI^L.. I8E+*— 

ia@lCByiBm^OTpIjS»>1l»«n+ 1 [sIJSLTs *<D>S 
mig*<!:fiulBigliES/Tx1tffl«!:co-Bi^6SSg-r^is SJ8B 
n-+f KSEIf « <!: BuiBita £: ©SUSlc SuIBm^<D^Hri£ 

js»« 1 [asgurcjSgss^&JiBiteffitfffii: lt\ en 

tcmSO^RT>e»S5n (nttlESS*) SfidLfcSlfBES 

ffi$RJS2 5 Sfcli 2 6 KIse<DfSiiE73-;£„ 

[ti*JS2 8] ByIBlSEtr-/\-#|ftjt>\ Bffi^v h 
«g^-T5'?5-<7'> h#f8K&»£^LTigEIIjjMf 
?B*g*U *.9-r7»>h#IW*. a— «fHlEflHBi:M 
I3SLa<i:<DSSlCB3iBm^co^5jiS3|g^ 1 Btt±itL 

ffett!SSft3i»ligfR*MfeiSEffi;fv1t$B<i: LT^L. 

Bii-»-/^«tt, «»ltm3-' •fBsnra^ete 

SJ»<t: £^TSuI3f8E^tt$8frSsutEISEm»*- 
35SU 85§Bf8fiEfflSLi!$«MfBiteE1f#B<i:LT. CtUC 
m5£<D*pJi$$-5fg*n (nttlESSSO OSS L 7=8513!^ 
1i$B*^t?l2E^-J> K«-^T-rse<t:«-!|f^<frsii 
5R)|2 5 2 6 tclBKOKfiE^jSo 



[tf*]S2 9] &e> 2 4©LN-r*l6HclBe<t> 

lgfiE->X7 1 Z il THff3-tl*iSii^Sfcliif5ft3S2 5 
6 2 8tDt^ftl*HC§BI8tDlg£E^a5cDSaS7"P^5iK 

Sya^^AIBiifiEi*,, 

[ftB«>lt«H«Wg] 
[000 1] 

l°]©ffigfcfcoT88®<&7'?i:X£l*HJT£, 

t^-fTs \~mwT'<omm&mttmzu tm& 

So 

[0002] 

«H&tf*<Z>:L— »f tf+r- / ^SICT 7 ? -bxr SIE^S: 

y/l/^-f>?|->§a«)SgE^<t:LTti> «!JjL^ Ker 
b e r o s ISEi/Xx^Tfflt^ns T T P (Trusted 
Third-party Protocol) &— S&lz%ae>tiT^Z>. 
[0 0 0 3] XT* ^S5^-»^/U-t-rv^-VSOS8E 

73mizr>^Twm*&mLrs&e>mnTz><, m2 3 ««e 

ElT-sy. E12 4tiyp hn;u^-r^P ha;l/->— J- 
VX0T'«5o E12 3StfE2 4lCfc^T. 81«a-+f 
'T>^7i-X*Jt-r>^5'rZ>r-#lft. 82ttO.-+fK 
E^^*31SE+f-/\"?S, 831*7* -f-feX«ffi^!|flJ8/iL 

Tfyffligpr^s&-?ii8pitr-/\"#iftT'aB^o 

[0 0 0 4] 7'>h^S81iii8E^-/\*#a82<*: 

^LTA^^tlfca—tfaESU^U I DtV— /m&frS 
I Di^BE^tt^BtLTttJ&^rciSEgSiAuthen 
ticate Request801^^-7-f TS r-^ISSI^KE+t-/^ 
#©82lc U „ ZtllZft LiSE+f- / <#lft82AV 

ftofcfgEJSSAuthorize Request802^12E5 1 '>-^ Ki 

cketsoatit'bicigyig-r. 

[0 0 0 5] ^ SICs 95-<T> h^-mit&ZJ-V-Jt 
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D<h*-fZ*X*>7TS ktZ&TjimmtLTttt'D 
fcigpJg^Authorize RequestSCM^BE? 1 ^ h Ticket 
8G5£ £ fc KB rT0— / t#fR83Ul3 U s C tiK» LBrJ 
+tW^&83t*BES£Author i ze Request804Kfctt£ 
«5;««i:18ttE^'y hTicket805t*«SELT. SEMS 
t Ba&tltfBpJiIfcQResu I t806^3l y iST *o 
[0 0 0 6] tt±W34^P h3il/i/-*->XWo 

*0«U5E^o^TH2 5*»HLa:*6IWir*« 02 

*fBE*Jra?BEV-/f#«. 83W:7'*-bXllB*W 
K LT«»BRl*fT*dBRl'9— / 

[0007] f?^^T>v^m\\t. x-^c^asfi* 

fift9*1oa»«#«311t. 2-W60A*tff 
£A2j#©811£u MLfc*v5'3V««»T*-te 

h«JS#fft314<i:. BE^*"y htD«*#« 

fc-fe v is a >B«ttSBiciB1tr ««WE«#tt3l6 

*fflt^TBE»*Kwiiw**^br*nwni«Bi^ 

[0 0 0 8] BB»-/«#«82tt, x-^OSIg 

«*fffc3*2G>aSSfl#«32l£* BWJ«tB»T £B 
Ef+B$#lft322<>:, /\ 0 X7-KHoa-+f , I8iiEtf?a^S 
«*nfcBE1§*8S«#lft323<!:* a-VBE«M«te 

*i#l&822<h. ty5/3>KBl^TBIf h« 
*fbT**** hB»#|»23£tf SBrttftl*. 

[0 0 0 9] Bmf-/(NH3B. x-^^iSg 

«*fir*-5S3CDiSSfi#S331<t:. B3««ttPrr3B 
RTftB§^g:332<i:> BE^y h*Wr**$-y h*g 
9#«83lfc* BK*4ry hOWWt«3e*ff»3^ 
* hW»W3e#«832t, BE»*E9JflHB*WHb? 
SEEW1S«ffi^#lft833t, BEESH^fEqBliraoWStttt 
W3e*f5*3KWfWiW««S#«834t. BEf*7 

[0 0 10] W±(DJ:5ic*fl6fftifcSe*a)>'V^Ht 
-f v*>HOBE*atcas^T. ttT*©BfW«i^T 
B2 6«»flUk#6MBT«. **\ O^-fZVh^ 
HKHcSiv?* a— ya»ts-Ta-1fB80*u I D<t 
BE"*-/ \*#&82K35 6 UttBBStlfca-tfBEffl 
<3/ a 9 - K P W £ WfflBRT*»«ttft<0'9'- / «S'J^ 
S I D<h^a-+fA^800<hLTA^#^8incA^^n 
S (ST3101, ST8101) 0 A*J#»811W\ 



a— ?fA*800*— BWHtr 5 <fc £ t Id*-/ «»JM10 
l»BlHLTy*-> h«»*B314icat*. f>T7hSS 
#IS314ti v /«B0W1OHC»lSr*BE^*-y h 
7-*««JULT (ST 3 1 0 2) % «9R3B*ia5ED3102 
**QBBiR¥B3l5lc£«. 5QSiStR#®3l5ti. &mt£ 

mmm *ii5!3A*j#f&8i i icm y . * y 

1** *'JffiBpJ#IISe®)ai5Ea8102^H5fB9 1 ^^ h«ft¥« 
314, ^EIB«¥®316S^E0^1f«0i^#S814tcS^ 
(ST3 1 03) o 

[00 11] «EA**«8il«. a— »fBES»a»]8 
101^xS*x*£, — P$S&L/*ca-VA*>800#SB! 
ttlLfc. a-TO8iJ?£tr-/TOyy£4)«8103*lin 
<D&g<l#J&31 1 LTBEg*Authent i cate Reques 
t801£LTEE-y— /^«82(C5gy (ST8 102) s 
a— tf BByni04£EH1ff&Bre¥&814lC£ y x / \°7 
-7- K8105** v •> 3 VBfK9#R812lca£«« 

[0 0 12] BE+f-M#gB82tCfc^Tt*, BES^Au 
thent i cate Request801 tiS 2 <D2SS«#»321 Tg« «? 
tu *ttl*nfti-1fBg«?820l»BE««!B»#«32 
3»lf^y h l*^#8823U:2£S tU /SB&»J^8202 

hB«#«823lc2S5*l* (S T 8 2 0 1 ) . 
BE1M»«#a323U:* a— W«8U?820nc«a;r* 
/tt7-K***LT (ST8 2 0 2) % «»JMttK 
ten'X?- K8203*-fey> a VBB8##«822lciSy * 
«^^5ifiI8204^-tr v v a V8t£j£#fa82l&tf-fe * 
->a>BB»#«822tca£* (ST8 2 0 3) . -fe*5/ 
a >8t£fiK#8821 tt, £MttJRilH8204#* »J * fi*T 
if^lCv Srfclc^V^Aft-byi/a >a8205^SfiKLT 
t'r>3 VBB»#«822Stf** * h 8i##®823tc2S 
* (ST8 2 0 4) . ■fe^->3V«Bg^#«822li. 
i£«llliiS]8204tf S y HfilC, * -y 3 V&8205 
«-/\ 0 X-7- K8203*«^TBWfbLfcB»4b-fey5/3 V 
a8206^*figL (ST8 2 0 5) , £tl*&2<DT£&m 
#19:321 LTBEJSSAuthent i cate Response802 £ 

Lzf7-<T>h^mncmz> (ST8207) 0 be 
s+B?#©322i*, aaPSMttrauTasy, ^s^sytc 

S^<^-rA7 k ^V^3212^5 1 '5r^ KB##«823lC«t 
-/«»J«202^«lSLfc-9— /^iiBSffl^T, a- 

ifB»J?820i £ «8U?8202£ ^ -f yzfiin 

t-fey>3 V«8205£*B^bLrcBE^y hr-^ 

8207^gfefi£L (ST820 2, ST820 6) . 

» 2 (OS§fi#&321^^ LTBE^^r * h Ti cket803£ 

LTt^^yyb^mnzmz (ST8 2 0 7) 0 

[0 0 13] *^<7*Vh#fMUCfcivcM\ BEC5^ 
Authenticate Response802ti^ 1 CDSS < (I#S311^y> 
LTBg-^fb-tr y v 3 vS8106<i: LTt'r>a 
^812tca2S6tL. BE^^r y hTicket803lim 1 O&Sfl 
#S311^LTBE5 l ^r^ h ^-^SIOS^ LTMI39 1 
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*r*J h«*S#l&314tCj£6*l£ (ST8 1 0 3) 0 SuIB 
*>rv h«J##!9:3l4tilSiiE^^^ 1*7*— £8108* -9— 
/«*J«101 < t*HS^tT«»'r* (ST 3 1 1 2) o 
*b'r>3 vg|ffl^#®8i2ti, W^b-fe * ~> a V8I8106 
£/\°X7-K8105£ffl^TiS^{b-r£ (ST 8 1 0 
4) o ftoT. IELUVx'X?- FftAtnZtlTcm'SlCCD 

«**#»812T» 6ftft-tr *y a >8181 07 tigt^lBS 

[0 0 1 4] tt&IBft#&316(** -feyi/a VB8107* 

(st 8 i 05) , mmm*mBaaimm»*iL& 

ftfcif^K. IBS L ft-fe *> v 3 Vtt8109£E91S&B># 
#S814lilS^ 0 E93»tBf#«813W\ SE&BS&JCIffiL 

«B»#«814lC«a»LTl^*. IE^tf«Bg^#®814 
tt. W«B^#WB««HI8102^*6ft*t, IL-+f 
B8UW04£ * -UxXZ >7smt*-t v zs 3 VS18109 
«ffl^TB»fbLfcBH»*HW1t«8ni«*«L (S 
T8106), C*i*Bl<MS»l#«311*ttLTB 
RTBsRAuthorize Request 804£ LTBrT9— /S#S83lz: 

(ST8107) o «B*4r* h«*$#ISf314ti, 
f'JffiBRT^m^»ii«l8l02^^6tiSt, -9—/ TOW 
■?310HC»JS-r*fiWLfcBK^^y h5r-*8112*, 
B 1 0&9m&mw&ALTtm**y hTicket805<fc 
LTBrJ*- M#«83tc2S* (ST 8 1 0 7) e 
[0 0 1 5] BRilt- /^S83tCfcl>Tt4. BrTSsRAu 
thor i ze Request804liB 3 <D&g{I#K:33l£^ LTB 
ES*E«flHR8308& LTH«flMtt*#«833lca£S 
*U BE*** hTicket805J*B3<O&§{f #«331«^ 
LTBE^y h 7^-^8301 fcLmy hflW#B83 
1tE2SSft* (ST8 3 0 1 ) 0 h«*§#f8:831 
tiv BE*** hf-: «301*«8Mc«»Lftg+J'--/* 
^ii«*ffl^T««<bLT. WStlfca— 9W9JW302 
& "9— / «g»J^8303 £ * A X * > 78304 im^h 
«ffl««#«832lcaS y . -fe y i/ a Vg|8305^liE^1f $B 
«##fiB:833tCiS* (S T 8 3 0 2) „ BRlltB5#«332 
1*. 3RffiB5»J«ttl^LT*5y, a»&BS"J««8306*^^ 
y HWWJ^#lft832S:a : ijE^1ffaW«)*'JS#S834tC^ 
^LTt^c h*»«£#«832l*. "9— /TOM 

^8303 £ A0(c«tt L ft S "9- / CBHT £ <0-§£«£* 

ha— 9 r »giJ^8307i; LTBRTB«*«835lcaS* 
(ST330 6, ST330 7) o EHffi«Rflre#IH: 
833ti. BIiE3*E9!iiffl8308*-fe y -> a >®8305£ffl 
l*TB*fbLT* »6ftft2-' Vmm3Mt*<fUX 
* V^telOi: »E«S»fl^J£#f!^lC££ ( S T 
830 3) o BE**E«1t«tt*5-f7'>h#B-?-fe 



KWWE Lt^-b y a VBtf ffl^Sftfc»dfc«>*. 
CCTiELt^-1fB8!lTFi:*-<ixX*V74:<j«»6ti 
* 0 E«Stt*nnE#R834(** * -TAX* V 78310 

09*KflBn— yMUTOIltLTBRTB^WBSicaS 
* (ST830 4. ST830 5) . BrJB$#R835 
tt. ha-VB8U*8307tEWi-1fBWM311 
fc©— MU**f5*l^ (ST8 3 0 6) . XT*fc£&6 
«BrBI«I83125\ B 3 4)&§{f #19:331 S^LTBrT 
il«JResult806t LT*5-f h#»8UC2Sy (ST 
8307. ST3317), *^-f 7* V h#«81 

TS«*ti^ (st 3 1 1 8) . zotz. —npimtf 

Xt&ofcif^ 3.—Vm*fr£*<fIxX9>'7£&TE 
L<»6*lTJSy, C4i(*^7<7 , >h#STiEL^-tr 
yVa VBtfffl^6tifcCi:*SLT*5y. CttttiEL 
iv<*«7- K#Aft<?tifcC£«SiS-r«0) a F« a-+f 
BE*B&«Mmft&tf-^kr « C £ tc££o 
[0 0 16] 

[»W36P»aL<fc5 4:-r*BH] LfrL&tfs % ±IBffi 
BLTfiy, W(c*JEB^«»Dfcmc*5*r3 7 > hffl'J 

<D«^BBTS*Ji*lctt. XBKlttttBimTnBB 

fto 

[0 0 17] $ft, ±E«*OBfliTtt. lOCDBliE^ 
^ry h0)«BBB«MBLT&6rinmiB*B^T^ 
«0»?ft«ft«. BHWCcfeyBBa-tiftBK^-y 

h ©Bi^tf tlT^IEft T 7 <7 -teXtmttttotlft 

[0 0 18] C3Lftffi*<0BB*»»r* 

tf»«B«*<0fi^BBT*-3TtiBffl»4««W 
BWJBB^r»««fift5Ctfl«T*, BiiE^^*>hco 

[0 0 19] 

iBB*Ba-r*ft»<D#«] ccDBa«BSkr«fta6 

Bite. WJKJlslftA^n (nttjEBM) T* 
«*BBf*f h*«»U Cti^LTfUfflBpT** 
«6*^7<7 T >h#ia4:, Cti«SW-TBSHtB*B* 
LBEBB*** h4:B^LT«fflBRjr*BRj*-/^ 

E?#«**tiftt,(OT«y, &jfESs^tt$Bt*. buIBB 
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WEBBER* •> KDteJSESttfk (kttnWTOIE 

[0 0 2 0] C*UC<fcy. *7=>-<T> KffliJTOBg-fffilS 
BE*** htOffifflma^gglCgSL 

VS<DBE73;S&imEi'XxAjW#6tl*. 
[002 1] m2K. UEBBEV- IL-+f|g 

stmmic35^T$L&*$.m u z. ti^m l t ? -r t* > 

flWtt. BulBa-+fg2aiS««tBijlBiLiai:©2ieiCHijIB 

SEH^1f«tt, H3IBiteffi1Sa»CBuIBm^W^qia»jSS^ 

[0 0 2 2] CtUCfcy, ±IB«I^C)ln*T. a— «fB 
E^IIStCfcUT^ * 5 -T T > h f JT'OBg^jiQS^gi 

[0 0 2 3] m3K. SJI3BE+J— J2— *fB 
E^JlSKfclNTiL&^fiE U Cft^fLT^ ^ < T 7 V 
h#SlcK!iE^t»?B^®^-r«t,OT**y. MIBBE 

n-ztLzmiztsEEm&mz&zztzftmt ltv^, 

[0 0 2 4] CtUCfcy, ±§Ea&*Jdra*.T» BE** 

^c^BE** v h ? BEIf atfflHH «?ti« pj 
ffi14TS&l\ <fcyfi££^>^/U^>*>§2eoBE 

[0025] S4ic. BuiBm^^Hrffls^-^isitt 

[0 0 2 6] CtUCfctk ±IB«jSlCfiDilT, ^^fT 7 

set ffi-emmm'sjiiim&'niz ^ctm^v » -jou 

[0 0 2 7] msfc. SuSBBE^'r-;' htt«ff*S8g"J? 

iuiBBE?*-;/ hC^ti?8<t1i»ES£:8^Taf$ < >:fg 
fr^SKD? <!: BE? £ *58rT * *, ©T*35 »J * SufBSSo 

it mt. 8uiB^®ii?BicBuiBfi!T^©Tpras>iis^ n - k 
[0028] ctucfctu ±ib«j*»cjjd^t. rafy 



SffSft%fettm?J£t=&t*««S^iBSJ:yS<K 
5£T^£OT\ mH«lcJ:*5FiE«ffl^pItg1t^«ty/Jv 

>-i7;U+f'TV7|->gJOBE^aSU : BE->7.7 1 £ k 6Mf6 

[0 0 2 9] 85IB^5<7'Vh#Sl*, SuIBB 

E?*-y hOffiffllsH&fcgJlLTfcy* suIBBE^y-y 
h <£ <!: tic Z tifcS L Tf UfflBSJ^SR 46 5t©T'$ »J , 

buibbpt+>— stubbe*-^ umb 

ffllHl»* i ffS-r*BE ; ? : ^-y hgS#S^S.Tfcy. 
SuiBBEtt-M'^ISti, SulBBE^^-y hZmSTZt 

«M5Wi**BSLs B3iBBpT-9— buIBBE* 
l*fl>«3S*SW-TMIBKE?*-v hgS^SlCsijiB 
KIf^7 h(DmMmm*t%7r>L. BufBBE^-y h§ 

[0 0 3 0] CftlCfctl, ±fB%m(c)!iP^T. Klf^r 

5fc«>s *yf!H»4©Bt\ ->V^'/l/+t'f>^->^c0B 
E*aSlfBE->7 t^j!>M# 6 tl5o 
[00 3 1] buIB^ 5 < 7 SuIBB 

e?^-> hoffiffliaa*esLT*>y. bjibbe^-^"^ 

h t ttlCCtl^TTi LTfUfflBpT^^to^ttDT** y , 
WEBRl-y— /^«*«Bm*. SuiBBE-y— m-^s 
tt. SIJIBBE^^-y h^^T-r^tttlt^TaS^IB 
1*U BjBBBpT-9--/^S(ix guiaBE9 1 '5r-y h^MSfi 
■TSii^^lCMSrSE^IBtiL. BuIBBE^y-y 
^^-SI+TbuI BBE^ <r -y h O^ff #B»J?««3«r MIB 
BEt>— / $ ft BuiBBpI-y— / ^eicguiBBE^ 

B^r-y-/ \"#® j: y !Eiffiii«a^§ttftJi-&ic(*f"jffiBpr 

[0 0 3 2] Cftlc«t:y, JzIBJSb^tcftDjtT. KSEft 

mtt&mm-Z'izztcib 1 op/fcDgsu v-x^-^ y '> 

%<T'$2>, v'V^U-y-I'VJj-VSWBE^SriBE 
[0 0 3 3] 

[0 0 3 4] 1 <DHJg<omBI) miWHSfiHJfilWB 
EvX^Ali, Ell lc5vr<fcdK, i-tf^>97i- 
X^o^T-fFV K#I61 a— *HE*fr*3tt 
E^-/\*#f9;2i:, -75f7'> 1 <07"7-fe7<SPS 
*ipJBr L-Tf iJfl3B5r£fT& "5 BpT-y- / 3 <tfr 6)5X 

8Mr«ffi4B*. X^-h7*>?5:^tf!ffifflr^ B 



(10) 
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[0 0 3 5] ^^-TT'Vh^lgl <bi8pJ+t-/\-#S3i: 

•s„ ?5-f7*> h#iai tKE-y— /^#a2i^tijg. 
-TLtiifi^-y h-7— y-emmznT^ni,^ mmm 

fB4^ttWLT^^S;f)^i.o C©%a®tfSB4<fcLT 

[0 0 3 6] ? ^yvh^Sl tts fiJffl|gRl#|ilTffl 
t^|giiE*>r-y h 5€"S}#UTU5o CtlliKSZtf— 
#K2tf?5*7'>h#fai KttLT3g?TLfcfc<DT*i& 

n lal ( n tilSSE^^ -y h <OWS»IsISJt) o tz$£§ik*m 
^1t$B£ U £*ll;:!8IiE?£ttl)D LTSRIiE^^ >y h 5 £ 

[0 0 3 7] f^^^Vh^fSI tligpI+J— /\"#S3i: 

tt$B4K;ForiS3tgf fcn-kEJ ( MiiggE^-ir-y 
f 'JffllgpI#|lST'<D®ffllEia) ft* o ft*SS*a^19« 6 

58 6 l**i(ffi1f « 4 «M6^t^M=#lc»*tt»-r-5 Z.ttfi 
T'^fc^fcto. C(Offi^1faj6lcJ:»J«5SB1fffl4^5a]^ 

frfctrtiTi^fctt, c<m^1tSfi6#6;*roji;*if?8 

[0 0 3 8] •y-^-TT'Vl^aitt. C<D«/^fi|S6 

IS3lc&tK C*llcWLigRl+f-/^#lft3(*. KSE^y 
h 7 Jtj^CriSliE^OSeiliEt. JS^ItS 6 K^pHS >Tt» 

f k 0^^: -o rdsmtfim?-* -y h 7 ft^trsa^it «e 

[0 0 3 9] Cabled: U N <73<{T> tt«S 

<fc & < . n BS.TBIiE** 7h7 LTf'JfliBpJ*- 

[0 0 4 0] £0)£51Z, *nmWft&<V®giLi'X : rl± 
ti. *f8blIISttf n (nteiESSS) T*i&£BfiB^y h£ 

[0041] BuKigiiE^y-y Met*. B3£-1f$8<Df6Ks 
=f->rv hH8iJ?. SJamRx BfrBtt. *-/qWJT* 



LfcflHBT**. £fc. IQEttSiflHia. BE*** h 
<Dfi£ffl[ElS#k (ktenfcTF05IEg») T&ZtZ. m 
iBfe©miB^Rfi^<tiTpIiSj8m^ n - k HISS Lfctf «T' 

[0 0 4 2] C3Lft««lCcfc»J. * 5 -f BHUTTO 

Bi*iaai*iew4:«r. be*** nare/Biaa^ss 

»^>*>HOBE*^0WE->^y^flW6h*. 

[0 0 4 3] (S2<DHS&tf)Og) m2 0H8fi^OK 
iS/XrAm ^'T^VMHRff* BE*- 
22fcttLTBESS1ff»£iSLTBE9 : *y h*»RT 

[0 0 4 4] COBE*>XfA(i, H2K:35Vr<fcdtc. 

-1fBE*frtt3BEt*-/t#«124:* ^^Vh^ 
ail^^tXWB^WKLTWfliBRlSffadBRlV 

A#«12atfBWw^«3t0)BB*tt*fcttJ|^ 

/^«3ttWlO)ltSS«B (Ell) <kig-T*y. * 
fc. BE*9--y^«l23b^S^5-f7 T vh#aiHcaitijB 
^rti^BiE^^'y h> ^-r^Vh^ailtfBRjtf-M 

WR3»caMir*Ba«tiiaifBw*-y ^etciig 

ISRjii^StcoiNT^, »10E>m»B (©1) tB- 

[0 0 4 5] C<Dli8iiEv'X7 : A<7)^5^7 7 >h#ant 
BEV- /WB12&M:. 2-*f-fV#7i-^LT 

A^j^nrc/ «7-fpw tBEv-/ ^«i2«t y m tt 

a»R i^SHB^^pRfiSS f ^ 1 Bf?«9^«K«« 

PlSB1tt«lllfl9«*arf5>yAtt*»oTt^By. 
COfR«irai4ld:/«X7-K'PW«»6«^M=«U:U: 

[0 0 4 6] ^^>r7 7 vh#©ii<»:iigiiE+t-/\^ai2<h 

ffBE#i«tcast^Ttt, BH-*-/\^»i2#&a 

W <!: BE*- / ^«12* y iffcaa R <h 0NIB(c?RTiB 
SSf *1HfTft-pT«B«1ll«l4*imjU c:o^©ti 
BWCSStc^RTJEamf *n@ GMIn + IH, nti 
BE*** hCDWXblHia) »ftofctt**BEffl^«B 
134: LTBE-y— /^«12tciJJS 0 
[0 0 4 7] iintC»L, BE-9— /^»12tt, BEH 
« 1 3A X 6 1 4#— » LTt^^Ct ^fflB-T ^ 

iHMIHlUtcT^TiBBlIf *nHfrftotelS**H 
^1f$S<bLT, CtllcBE?*«ttlLft:BE**'> h5 



(11) 



2000-222360 



l|[lT•fflt^•sfc46^c«^#■r* < , y&tiE&tv&mr'rv h<z>& 

[0 0 4 8] Sifc. t^-frs h#eii<bKpi-y— 
S3 <h£>f'JffllSpJ#liSK*ii,N-ni. <7^-fT> h#Sn 

tffSfi 6 i LTffll^. ^Hra*>1IS f tfftttS^fc^pTiS 

[0049] ?5<r>h#iai1«\ d(DSS?1S«6 
«JtLTt^cl8iiE^^'y h7<h<h*»tcigpJ-tf-M'# 
IS 3 KiM »J . C *UC*t LfgRltt-/ 3 tilBH^ -y 

wo 8 eg U sr. 

[0 0 5 0] C©3S-;£lC«t»J v V^-fT's h#Sl1tt® 
®t»$814-¥>/ \'X 9 - K P W «B rI+*— / 3 «S46fc 

[005 1] CO^lC. *HSg05»9l<DigSE->X7 1 ^ 

StMfS, CcDtS-OESBEIffSStLT, a-+f&liE 

fcfcOMHKJlU SEESaMff Wit LT. C<Z>«Sffi1ff$8lc 

[0 0 5 2] C-SLfctSfiKlCfcy, mi<DHSS^0)S» 
mizta^T. a-+fS81iE#IIIIlcfc'^Tt,'5'-5-<7 , > hffij 

[005 3] (S3 <r>$m<T>WM) m 3 ©USSJgS&DlB 
E->XtATH E13lC^r«fc5lC, ■5'5-r7'>h#S 

5'T7 , > h#K21<Li8II^-/*#|&22£<OP£T*^3'*l 

[0 0 5 4] C©->7.7 1 /*Ttts a— tfBEE#IGU:*5l,> 
T. KK^-K#S22mS££fi)cU Ctl^LT? 
5-C T'V h#S21(Cig§E^tf«*S5R-rS„ <75Y7' 
V h^«2Hi. M'X 1 ?- FPWtWIV— A#822<fcU 



©stfflwiis?aigm^is:iii^if«23<b ltise+^-/\* 
m (exor) mmmLT^z, 

[0 0 5 5] CtllCttU !8EE^-/\"*S22t*, 
^1fffl23i:/\°X7- FPW,t:fl,aRi^6iagLT«Sffi 
tflB2S^3c4!)^„ *LT\ e:cDli®tf$B25lc^pia6jg» 
f^nSfr^tV *-<D3tmS*£!>s#tff $g£ u utile 
Kil^fcttiinL/cIgiiE^-y h 5«->5-f7'> h#821 

wgyigT. h#S2i(i, cn*fjfflK5r# 

[0 0 5 6] &3b\ t, La-W^iEfcSlH^riSliE*! 
h#S21T'iSSE^>r y h SSA^-TSCii^T'^Tt.. 

v—/wvmmmmmit^e>ji7.'7- kp w<tii&R <t 

fcSl^Tffift LfdKffitff $B25« ? 5 -f V h #S21 lc« 

OTIE35:7 T ^ -t X^f^-r * C i: 6^ 5o 
[0 0 5 7] <7^Y7 7 Vh#S21<tlgpI-9--/^IS3i: 

Iff Sfi24lC^pJffl;HS f £ n - k H] ( k liligliE^^ v h <D 

*mwz¥MT'<D&m®&) 'fits, i td&mzmmm® 6 
t Lzm^z. *ei&mn f *^»©^J5r^pjisittie 

si 6 ti^ffitt s824£*a s % t^m=#ic iif+»r zzt& 

T'tt^fctb. C(D^1ff«6 1= <fc »JiWSB1ff$B24^5ai5 

«D{S*(i<t:«l^1ffl8lcjjtt*^pIj£Jllg f ©EUttf* < 
^*>nTt^/i:4{). C©J^1ff«6^S^<0a^1ff« 
£ft»-r£iri: i tT'*'S:^CDT-.. Bg^-fbO^St,*^. 

[0 0 5 8] •?^-<7 T >h^S21tt. CCD^I3»6 
£\ ^LT^/clSSE^^-y h7itt,tcggpJ-9— 

S3icjsiy, cmc«Ligpi-y--/^K3t*i8ii i ? : '>-->' 

h 7 i^C-fgSE^^iiE t s ffi^lff 18 6 Ic^F pTiS»3lg f 
* k 0?t% rcJS^ii8iiE^'7- -y h 7 *^C?89^1ffatc 

[0 0 5 9] CO^JCfcy, -?^-f7 T Vh^S21tt > 
»85tff«24-¥>y^r7- KPW^iigpJ-9— /\"#S3^^4i> 
fcS=#(C^TCl4:35:<. n[H]$TSBfiE^'!7--y K75 

[0 0 6 0] CCD<fc-5tC, *HSfi£Dff5fll<D|gEv'X7 1 A 

©<h, O^-fT'Vh^lftft^filtLfclgEffliLa («lffi1ff 
It. i8SE^-/N"#SlcJ:yi5!SEffi^1§$a^6ieS^ti 



(12) 
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[006 1] CdLfcft/ffitCcfclK KliE^'y t*tf<Sts 

ftt^ys^ft, ^>?)W<<>*>m<Dvm33?£Jb.zf 

BEE->X^<«#Sti*o 
[006 2] (JB 4 OHBSOfl28S) Sg 4 COHSSB^T' 

[0 0 6 3] B4lt C05/Xf^?fl!)7Ph3/bt/7 
r7Ph3/i/5/-^>X0?$§ e B4ICJ)VT, 311* 
2-f<>^7l-X^0^7<7>hm 321*11 
-1fBn*ffft3BH1*--/t#** 331*7* *-feXl«B* 

rs(K tt«K*ffit*fcBE?«ttHR*g*LT 

[0 0 6 4] <7^-f7*> b¥mitm£v—/^m2t 
a>3.—yBE#JHHcfit^Tid:. ^-fT^H^K 

KSI-yu I D«fc+J— /fB8!l?S I Dit^th^o/clSIiE 
S^RAuthent i cate Request301 *BSE1*— / *#!532lCi8 
£ c BliEgSRAuthenticate Request301^BliE 

hOW»0Bn*£fcft5fcOiLTfcJ:i\ * 
^Tft^if^lct*. BBE1t-/WBS«tcWJbSttn* 

[0 0 6 5] CtUCfctLT* BBE+f- M#«32tt. §0 

aft * * 5 tc*^ tifcaa r o * <t t, ft ^ tzmm* * 

UVv^Chal lenge302*3Sy iit"o C*l*3«'*c*5*r7 7 

fc/<X"7- KP WtSLRR 0 tO)iWStC»LT n + 1 « 
0/\y>aa»H*JSLtettlR*i:t»«:ofcBiE^^U 
>S?JS«Response303*iS U iK U C ftlcfcf LBlE+f- 
A#®32t*. U V^/SSResponse303U:£>t*£ n + 
1 »/V;> gSftftof C n + 1«y\y5/a 

aWS*t«l«SttlILT^rtiHriEatB», 3r*c 
tC^sELfc**-;/ hfflflffT I D£n + 1«/\*->a3t 
mS*£**fZ*X*>:rrS0<k1*-- /«»J?S I Dt 
BK-9— /Q2a#*sr*fr««8y?l I Dt«tt,a 
t^BK? SHWB * tlfcBSE^^ v hTi cket304£ig y £ 

[0 0 6 6] ^'7-f7 7 Vh#l931tBHr+^— 
f&33<hO*'JEB^#JlItcfcX>Tt*. *5-f7*> h^S31 
tfBpJS^Authorize Request&tfBBE^y Kicket3 
05*BrT**-/*#«33K2S* o C<DB§, BRTS^Author 
ize Request tfa-tfB»J-?U I D££*>ft^O<!: L 
Tt*l>. CtllCtfLT. BRTt*-/f#«33tt* COB 
BE*** hOttfflSBKS^<fflk*ifcftofcB^ 
* UVv'Chal Ienge306«&y jSTo Cft*gl*fc*^< 



zvh^iasH*, /^x 7- kp wta»Rot©aeic 

WLTn-k+1 ISO/ \-r>2 H £-fi£L fcB JR* £ 
*>ft o rcV&aj? * U V S>/5§Response307£& y igTo 
[0 0 6 7] C(D/\y>a3t»H38«J6»fi^«:— ^fijfife 

t«s»ofiaraa5>yAtt*»oT^*By. con 

y i/ a XIOSJIIU:/ \°X 9— KP WStfiLtt RO^e^ 
aatWeWCcfcyy^X^- KPW«a*iESfta— 

-> a igUSSJItfr 6 \ «y 5/ a aMJ£X« Vt*r £ C <fc 
fcT*¥ftl/*OT\ BWfbOi&BfcftlA, COJ:5<*:«5ft 
/\^>aSSHtLTIt Mli'MDS^SHA*^ 

[0 0 6 8] CtUC»LT* KpJ**-/\*#K321*. BrT 
U>^J&§Response3(mcfcl*5 n - k + 1 «/\«y 
i/ n ;KB«S tc * 6 Iz k So/ \ *y is =l MM&m L *c*S^ 
£ BSE* * y h T j cket least** n + 1 fBV \ «y 5/ a £££ 
«£*Jt««IiEU — amtfiEatBiftTBpIfflfflRe 
sult308*SSyig-To BpJii«I308tffUfflBR»c 
J: y T 7 * -fe X tffFqr^ tl fc« B I nf o^|i]B5tc £ ft 5 1, 

[0 0 6 9] u±Ocfcdft^a hn;l/i/->rvxtecfc 
y> h^SSUS/^X?- KP W^BrJ' 1 *— 

#S33^^i6*cS=#(c:^*rCi5:ft<> nEDETBE 
*>r«y K304«*BLTW«BW*»»Ci:#T**. 

[0 0 7 0] CO^-pft^P h3/b->-^>X*»OB 
BEVX^AOWflttco^Tia 5 o«ffi >ra ^EI^#8B 
Lft^SK^rSo 

[0 0 7 1] H5tC*5l/>Z\ 31tia-+fW^7x-X 
^o^75< T'V h^lS. 32WZL-1*BH 3 &?Tft3KiiE 
33ti7 y ^-tzX«iPg^*iJ0fiLT^BpJ^^ 

[0 0 7 2] <7^^T> h^mm, ^-^OjSSH^ 
?7ft^miOiS§fi#l5311<S:, 2-WS<0A^S» 
*A^#S312<i:. 2O0A»*BISLT/Ny>aai» 
H«?Tft3/\^->a#»313<!:, Sft LftBEf^y h 
*fliWr*^y h«S#S314t, Blf t7 KDS 
»«BJcKUTJOB*»Rr*«BliHR#«315t. /N 
y">a«»e«*»BBtcgB«-rs«BIB1l#«316 

■^^.6tl*cSaS*£:(i-5il6tlfc2^oafilOSO 
Sao/ \y>a ;H»^?Tft -5 ^15/ vy 5/ a #&317<h ^& 

[0 0 7 3] Bia)BBfl#fft311tt« M*^9- 
^OBBtClSCTffJittf L AN^)- K*OL A N-f V* 

S^— HMft-K*P I AFS*-K*0)*8<^ 
I r DA^E$;a-;U«po#»«-f>5r7 
x-X*Bft<t:T««3'ti, iififfl^tciSUTcneo 
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It. 0>J K, TVt-SWX?AS8§, T 

OX. h5>y*#-Jk ^71/7 hUO^-fV^-r 

a #S313ti. 0U;ll;f aSSESS £ / \ -y -> ill H 0)7 )[> 

ti*. ttv vzm^mwt. ysiMiStt 

T'$5o «8ffi8B1«#ffi316U\ flljU* I C*j-K©<J:d 

"&„ £l&/Vy->a#l8317W:, fllS.tt/Vy-I'ajgSH© 

•y * r**8BHP«K***V h-TSA^V^^IifiitDM 

IBS^S*"^ ? pp >K2-: H Sffcliiflfflpv fcfa - 
9±©a V tfa — S» Xp ?5 LTH§iLTt>g 

araa-pxa utm^w\.z%m u xp y=yuim 
mam y £h t fcttaic «t y ngi l r t a 

[oo7 4] mtc. isgiE-y— i^mm. 7*-*4>2g9 

(H^tT'5:3m205jM§fi#S:321i:s ^SBfSiJ^itBfr 
•5&&f+B$#i8322<!:, n'X'7- KtW>JL— f KSEIflS 
*S«T£f8iiE1t$8§«-J'&323<!:. a— f&iBUJlS 
Kgia*£/£T*SL»£f£#fg324£: v 5;t6nfi:,fcy 
1 1 ^t^sa©/ \ -y -> a H ^ T ft r> sg 2 <D$W \ v 

->a#S325t, 2 00^©/\-y->afii*Jt®^-r^ 
f8SEKt£#'8326i:. BH^y hSKrfclca^— 7& 

[0075] m2©s§ft#ift32ii*. mm*v h-7- 

❖ ©fUgtCtS CTijllf L A N * - KISCD LAN-fV^i 
7i-XgS, S-SX/UT'XX*^© I SDNf>* 
7i-XgB> tfi 4 SClg>r>j!7i-XgS > St 
flf^-Sillf*- K^PIAFS*- FiftDfcMSH'V* 

i-XgSftt'T'ffi^S. BfiEitBf#8322»i. ffil 
*fcr*^fc?>*jbM"Sffl3-*i£„ iSSE1ffflS«#S:32 
3W, *§*©*tyx/\VXT«tJ5E3-tv ifv/Stt 

S324(*. «y^(#iLia^fig7'/udry x^«e»i&A/f£ai 
glass. s^cHimsswy-fx^^— Sf<b-r*^»^a 

^ii'TflSfiKfftl^, M2CD££8/Vy->a3M8325«\ ffll 

\ -y ~s3.mm h (DTibzsij xj±*mft-&h,t6mni°i 
mztati^y ^r^m^mm^tioy . 



[3SST*«!fi)t*tii.o BfiET t f«ttHI#«328W:, BSE^flc 

r= ti "rbi a y tf a — * ±0 p v e a — > xp x-5 /* &m 

M LTH^LTtiStv 3&.5i<M;t*-<0P>t:°a-$Xp 
X5 Afc^SX »J *TttJ{MBSC-pXn X5 AfBSilggmciBfg 

[0 0 7 6] Stc, BrI^- A-#J$33li, t 1 -- fcDSS 
<l*S*5Sl3<DiS§##S331i:. 3RftQSlJ«tmr 
5i2pJlt^#IS332i:, ISil**-;/ h l=f^D*tiftSSE 

<rv ho^-T-'y usis'j^iwaiiia.h^iyfijraRisgiaa 

»©/ \ •> -> a iim H«tG5I3 \ v -> a #S33 

20©*Sn«v->afii5Jht»R8^-r5igpJ^# 
S337i^«^.Tt^„ 
[0 0 7 7] S3roaSff#e331(±, h7- 

7i-xgi, ^T^wmg-rv^i-xsH, si 

7i-XgI, I rDAiyi-/l/f(0iji|.^>57 
x-X^B)5:^T'lgfiE?tlS 0 iigHI§t^#®332tt, m 

|gSE?eiiiE#S333 

«^ l^SE : ?«iiE7 , y^dfyxA^^fi*•ji^/-£3lgIllgsR^f 
^ggroy t y f/(-fxi <o«§^tc ,t y *Sfig^ ti^o 

m 3 iO^S/ \ -j -> a#®336ti, fill jltfS 2 <D£f8/ \ -y 
->a#|ft325<t:l^«<D3ISl2lSST'*^V-?<D^y-b'y H 
ffi«-aJt46t<OTSfi£^tli>„ iSHTBI^#S337«, ffijjl 

P V t° a — J? * fclitflffl 3 y tf jl - ^» ±<E> P > e a — 5» 

V tf a— * 7 □ 7*7 It«Rtt »J Rjfig^^iCT'-7*P ^5 

iB^sifttciB^L, ypy^AiBsasttKgxygatia 

[0 0 7 8] ^©.fc-plCfllBK^tirciSffiETS-^St/ISiiE 

S/j^SlftHfl-rs. CCTHi, !SiiE"g3£Authenticate Req 
uest301 mm** v h WJftlUiS n ^ t *>1& o Jf^tco 

[0 0 7 9] ^^-fT'Vh^iaSHCfc^T. a- 

■trg#*55ra.— yiasij^u i otvimv-i^muz 

h©g!8l[2ian tfl-a— »f A73300i: LTA73^S312IC 
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AWn5 (ST3 10K ST3 1 0 4) „ A73# 

btm&muu:* *t- /wj^ioitcftjfc-r^is 

liE^y-y hf- S»£8SiisLT (ST3 10 2) , fciislg 

jgs^s^^toSjMJRSMftsisKis*,, *an>iitR#i83i5 

BE«JSei)jifi]3103€-|uIBA^#a312Stf ^S/ \-v > 
i#f8317lC53S»A Wy*5VrJ§£Ktt (ST3 1 0 
3) v f'Jffl|gBl#llitgiKia3104^Bi)i3^y-y h«J$# 
fft314i^ffilB1t#ia316<t:^S/\->5/a#ia:317tlcJM 

So 

[0 0 8 0] fi5iBA7J#M8312fcJ\ 3.-+f|SEE®B)ji5a]3 
10336^*5*1*^ -^{^Lfca-tFAZtfOOfreSX 

05«m 1 <D2SSfi#S311*^LTKiIS5RAuthenticat 
e Request301i:LTigiI+*— /^#!832lc2jy (ST 3 1 
0 5) , W5aiiia3106^Sy\-v->i#lft317^SI»A 
/\°7.-7- K3107*/\'y->a#S313lcaS„ 

[008 1] gg|iE-*-/<#K32lC*3^Tli. ISSES^Au 
thent icate Request301liS 2 ©2ISfl#&321TSfl? 
♦U UXtH * tl/cn— y t s8ES'J?3201 tf&lltf «S»#S32 
3lCiSS*U H»!llE]S3202;fcSSi! 2 <D#&/ \ y -> a 3M8325 
SO : SgiI ; f«lia#ia;328tCjM6tlv It- /<KRIT3203# 
&ifr?ttJlD^8!328lC2!6:|a* (S T 3 2 0 1 ) „ 18U 
« $8§®#K323tt, a-+f ffig"J^3201 iC^fST */ 
■7-F*«IRl,T (ST3 2 0 2) . *fy<D«§#Ktt 

(ST3 2 0 3) , /\°X7-K3204*^2«>^lft/\yv' 
i#S325lc5M»J. fc?lslSglilSBM3205£&»£/S#fft324 
Stfm 2 0)$W \ »y *s a#S325lCS5, 

[0 0 8 2] &tt±fiK#»324W\ *$PSs)£lilj§fc]3205tf 
*»J x-^StSUB©^ UVv>SJ*3206 

^Sr/iK 5 > #U lz±tfi. LTm 2 \ >y -> a #19:32 

Slcmztfrbte. m2©SSg«#l8321^LTi8SE^ 
■V UVv'Chal Ienge302i: LT?7-<7 T > h#S31lCjgS 

(ST3 2 04) „ S2©^SMy->a#l9:325tt, tt 
^iS^iia3205*^»J*^-r^lC. A* 1 ?- F3204<>-. 

U>->*SL»3206tOSieic^L*?8!)Eia3202j:y 1 
^SS©/ \ y -> n 31© H £*Tfc o T. SSUKD^K/ \ * 
->:Lffi3207£i8HS8£#&326Ka!* (ST3 2 0 
5) . 

[0 0 8 3] CtUCfctLT? v-CT'V h#IS31ti:fc^T 
ttv iSH^-V UVv^Chal Ienge302ttlg 1 <Oi£§(I#S»31 

TWMsn, * * u v->gLa3io8«;i5j y ttj*tir/ vy 

->a#lft313tCjS6tl5 (ST3 1 06) . /Wi'i? 
S313«/\°X7- F3107i:** UV ^83108^:051^ 
(C«-r-5/Ny->a>S»H^T'S:oT (ST 3 1 0 7) , 

&m<r» \ y -> afitsio^tsffiiBit^ssieau-^K/ \ •> 

-> a^SSWcSI*,, ^®IB1t#S316(*/ \ -y -> affi3109 
fcBWSKiBULTmJEcOT^-fe*©^ -T^-Sa- 



+fl5!iE#|iHtc*>nt5ill)PMIFrRtfipJffliSRj#)lHc*;ltS 
&m(D3*&®?2> (ST 3 1 0 8) „ #f&/Vy 

Bt, /\*->afil31O9lcSJa0&31O6lCfflSTSKa<DM 
•yv/ajHWH^frfcoT (ST 3 1 0 9) . Jg^©^S 
/\-y->ifil3114^ mi ©5HSfi#l9:311^LTiSII 
UV^*SgResponse303<!: LTlSSE-y— M#K32K 
(ST3 1 1 0) . 
[0 0 8 4] CtUCfct LT18IiE+*— /^#l9:32^Ji^T 
M\ iSSE** L/V^^Response303ttm2©S§«# 
16321 T'Sfl* *V £K/ \ > -> a ffi3208tf SXtU * tlTK 
Efi5^#©326lCiM6*l-S (S T 3 2 0 6) „ BSEB8£ 
#S326tt, £18/ \ "J -> a fi!3207 <t \ -y -> a fi!3208 
ta-BtfJSEfcfrfc^ (ST3 2 0 7) , RdtSjR3209 
«f^7 h WSA* *feJS#fft327K3£;5 <h i tlC^S/ \ «y 
-> afi!3208«-5-<D**^®/ \y -> ifi§3210i: LTKSE-? 
^JjD#lft328tuiSS« ^^'V h!SSU?ifiK#S;327tt. PS 

^*327^-iR*^-rJi^(c. m^rf^y vmi\=f-i 

212«*figLTI8SE^l)D#S328lc2l* (S T 3 2 0 
8) o 

[0 0 8 5] ISH«-^#l9:322tt, 3Eafi^J*H-^LT 
fcUv 3Hl^J(CSr5<^'T/»X^V^ , 3211^igSE^ 
fi^#la328^C«$gLTL^5 < , i8EE : ?^D#S328«. 
v \*W&&22U£$$SltVy ->afit3210<k^3ailsl»3202t 
^-rZvA^>^3211t+t-/ \"®SU?3203 tKH-t-/ «2 

^^BKLTf^fiPLTiSSE^'y hf- SJ3213tL (S 
T 3 2 0 9) . m2<DSSS{t#l9:321*^LTigiiE^^ 
-y hTicket304<t:LT^5'r7 T >h#fS3HcaS5 (ST 
3 2 1 0) „ 

[0 0 8 6] CtllC«LT^^'f7 7 > ^K31(Cfcl^T 
lix SgliE^yy hTicket304liSl05jSISfI#fS311TS 
fl*tix Vmr+v hf- S'3110* , :|Xaj*tiTBuiB^^ 
•y h«Jt#S314fCiM6+l* (ST 3 1 1 1) . b3I3^ 
$"y h«f##S314tiKlI^<r-y h7 r -'S'3110«-<t-/\* 
ISS'J^IOItWJS^tTlS^L (ST 3 1 12) , f"Jffl 
S8Rl#llSEi()jl«]31046^^.5tltcJi-&(C, KSE^y 
h x— 5« 31 1 1 £Sg 1 OiHS<l#S31 1 Hit ^TWm.TT 
•y hTicket305iL,TI8BiIS5RAuthorize Request £:£:*, 
iClgRlHt- /^S33lCi3S* (ST 3 1 13) title, 
KSE^-y hf- S»6"e^St)[2ia3112*l5iaaLT^S:M 
■y->i#S317lCsS5o 

[0087] C*UC*J LTggRl-t-/ ^#S33U:fc^r 

Kll^-ir-y Mkket305€-i:t,*-=.f=iSPlS?RAutho 
rize RequesttiSSOjISSfl^asslTSfiS-tL, S8II 
**-y hf- S«33016^ai*tlTISffiE^«liiE#S333lC 

issti* (s t 3 3 o i ) „ m£*m^mim. m 

<t©S^1±*^IILT«sI^m3304^^>r-y h^^J^ 
#lft334lC5S* < i:i'6,(C (ST3 3 04) , x—S»SP6^ 
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6 * -f ut. * y ^3302 1 n-j *k»j^ 3303 t *ffitH L T 

«/ \ «v a {13306 1 *a » ES3307 <b Rfr#M8!J ? 3308 <h 

[0 0 8 8] BRTW-B5#fB332tt* BSBflUettftLT 
fiy. «ffiB5S"JlC«^< >73309***v h 

«JWJ**«334tc«l*LT^*. f *y h«»«S¥ 
&334te, ttBBB*33043y«yftL*Sr«^iC (ST 
3 30 5) . *-/«BW*3303trtW(C«»LfciV- 
/tBffl*iO^«*«Tft9t£fclc (ST3 3 0 
2, ST3 3 0 3) , *<<LK7,*>7ZlQ2£m&$mz 

i«TS*Ct^i-y^LT (ST3306. ST3 
3 0 7) , t^mt>KT**»$^^^y hS»iiM33 
10**** h«B»««335lca*. CO«SMSH 

ffltttfiTU «<B36r*i:a-1f3PJffl1S«lRl±r* 

[0 0 8 9] ZV)£Z. **rv hfy/ag3#»335li* 
*y h<JXh*nLT£U, f<ry h<r«Kl$ED3310# 
4*.S*lfc»*lC* **>y hB»J*3305*ffil>T**v 

(ST3 3 0 8) o KStTftt^iNIHttilf?*? hW 
«J*3305 £ W«J[h]»3307 <fc » U Spjffl pffiBHR <fc 3&^"Tffi 

t Lz^m^msoKom^^y h Mci&anLiB 

ST* (ST3 309, ST3310) 0 £<DB$ V 

/ \ «y ~> affi3306£»?r*«»J«308£fcte«TKtt LT 

»335t*siy?ijfflprfiEiaa*i«u, iran*&ayH 
nvimK&oatfsr¥uninH33ii«3K» (s t 3 3 

11), Ctl^S3(OS§fi#S331^LTIgRr^V 
U>i/Chal Ienge306£ LT^7^7V h#IS3UCjg5<t 

£*>iz (ST331 2) , mo&mwi'zL^mie 

vz/^milUt LTBRlBBft#«337(caj*. 
[0 0 9 0] Cft(C»LT*5*7 , Vh#B3ncfct*T 
te. 13rJ** UVv'Chal Ienge306ti® 1 <DS§ft#S31 
1TS«**U MfflStt3115fl«l»ffla-tlT*«/\y5/a 
#S317lcaS6tl« (ST3114), *&/Vy->a# 
&317I*. HffiB^#mBIUin3l04^it.6nTt^% 
JSetC, SuIB««IB1t#l5316J; y/\-y i/affi3113*« 
T (ST3115) , /\y->affl3113lcWJaiHl»3112i: 



f »J ffl 0&31 1 5 £ com KfflMi ? % ©SO; \-r>iiSlH^ 
ff^^T (ST3116), mjS/\7V2 {13116 
£\ Sl(05SSSfi#S3n^LTBpJ^^U>i/*lSSR 
Gsponse307<hLTISRl-9--M'#S33tC5S^ (ST3 1 1 

7) . 

[0 0 9 1] /\-yS/a3IIlH4i«»»Se^a-»|ftttt|S 
IRtOiS-Slf^vyAttS^-pTt^Hy. 
•y v/ a {131 16**/ \°X 7— KP W&tf&» R 0 6 t> 

s/affl3n6tc* y / K p w»osiES*:i--+re 

/ \ «y -> a {lie £ £ A «y -> a. mm H < fyS to 

tlTl^*fc», c:cD^S:/\'y>/iLfil3116^6^c7)^e/\ 

0 0«W±BBT**4:ff»i. «Ha«BT**i«B» 

[0 0 9 2] CtXtC»LTffiRj'9— A#|ft33lCfc^T 
li. fgpj** U>v f /SS : Response307^m3^§fi#S3 
31TW1**U *«/X-y5/a«3313tfBai*nT*30!) 
£f&A*->a#g336tCiS6*i;5> (ST3 3 1 3) e m 
3 Wis 3. #153361*, \ *y a. «3313lC5flJ 

S@tt331 1 (2£ £ r ^lfta<D/ \yi/a. 3IS H ^?t6 o 
Tv \ *y a ffl3314*B rTB8^#«337 

(ST 3 3 1 4) e BRTBd#«337tt. *S/\ 
'y 5/ a{i3312<h -*^S/ \ ^y 5/ ^(13314^ JE* 
SSl^ (ST3315. ST3316), KT$^^:6 
«BRTiiaj3315%, S3^3S§ff#S331^^LTlSpJ 
jl^lResultSOSiLT^^-rZV h#fft3Hc2Sy (ST 
3 3 17), ^7<7> h#!ft31lCfc^T§<I**l£ 

(ST 3 1 1 8) o C<7)*>^C<fcy, ^^-rzvh^s 
31^/\ 8 7, , 7- KPW*BRT»-/^«33**»fcW=# 

[0 0 9 3] W±OKWT«^5-r/ , Vh#«31 
tcfc^TMfflBpT#«a>fc \ *y affi^ftg-r 

<0&&/ \ *y z/D.m*mtmU LT«S&IB1t#©316lclB 
1f-T^«^<!:LT^St\ «8®I3ti#ift316 

(t LT<fc y ^sscoif^ >/ \°ttp< ^ y u x&mi*z 

[0 0 9 4] :*U:. 05tCSL/c«4<OH«JBfl8(DKIiE 
->XxAlCfc^T. BBE-?iLTyyfe— ^BIID-K 
«ffl^teBda>BK?^#lil328aO : BIi?«E#«3 
33(DP*ffl^:♦S^!^WSL^ : it^mcot^T. 07»tfl218 3&# 

[0 0 9 5] BHT«ttI#«328W:, H7iCST*5 

BBit-/«a#*«rBai?#E«*nftaB»jdF 

Etl#«328Afc, f r -**JIIS"r*T r -^5BS#«328B 
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t . A •> -> a 3SS h ^-frfc 5 j*!Sx- * / \ -y -> a #K32 

ro«sffii LT&-z>v—/mmm*iE®?z>v—jmmm 
»sffl»¥«328Ei:. iBijE^-^x-^icaersisii? 

SiS#lft328Fi: 

[0096] cogisgy^iBit^^sAii, fljTLtf.*^ 

'JT«fiK3-tl*. x-*iiUg#Ift328B«:. ffil^tfltSS 
BTflUttT**. BtSx-*/\y5/a#»32KI*. ft* 
If / vy ->aSI h 07»/Hf y XZ»*«*&A,7£2SSE]B 
T«fn«. CCT'/Vyv-ajftghl*, /Vyi/ajRg 

iBit#ia328D«. mify^yTwaa'tu w*v/\°tt 
t»9ft/ty xvt-r x-psnmcSAts &ib#3 

Bf##8328Ett. m«W#7 , /Udfy X/**«*ii/ufc 

CC-M»7lUdru Xl±t LTtt. ftxtf D E S ■¥> H 'J 
D E S a £#<»BT*$ BIE?a&#a328FM:. 

ft*t#ii3i3BT*«iEe3-*i£o 

[0 0 9 7] BSt?«fiE#lft333». H8ICST 

BSE-?*^-^^6»»r*i8SE?»Mt#S33 
3A £: . / \ y -> a 58S h £?rfc "5 & 2 ©iHSx- * / \ y -> 
a#S333Bi:, BEtf-/ *#lft31 <tKRT-9--/^#S32t 

+*■- / \"«jg»t3t«#S333c t , &iia«3«)imrae 

ffft-5S2«5«iiSI»aBg##e333Di: < x-$g&:£# 
fflSWT* x - * »SI#S333E £ . MfMHyTOM 
r *f8fr««WJTiad#«333F p< »t-9BE3- 
K*Jtl«ME-r*]«R#«333GtJl«LT^*. 
[0 0 9 8] ;:cDBfiEx#8t#»333Ali, fiftlfBSE] 
SST'*gfigT*-n*. SB 2 £>i»gx"-*/Vy ->a#H333B. 
IB 2 Of-/ WiiaiB«#®333CSlfm 2 (0#iiSl73 xt 
W#*333Dtt, ^tVFftEI7l::fctt£328C, 3280, 32 
8E£BIU«J:5fclll«**i*. x-*#B#K333Ett* ft 

#«333C ft * «r UMm&om-s-eiz <fc y «B£* *l 
a la dmmtWR y tzmtrnfr-gtontcmmz* y 

[0 0 9 9] W±03 <t 5 (C«fi£?nrcEliEW»D^S32 

8&tfBiiE?«ii#ia333(D»jmco^Tift(!B-r£„ b&e 

^ttira#&328Tl;Ju SSSJ3'Jxi3t§#&328AfrS 
x-* SiS#a328B KBSE"*-/ \* g # MgiJ-f^SI 
*T«itESiJ?328a,hLT#«e;rtlT^£ < , x-*3*B#|g: 
328Btt, IB 2 <OSS1i#S321 «fe y W tcm^mm202R 
UV-/m%fr2203t. S8liEra^#lft326J: yf9fc*f8 



svy ->afl3210£, BSEf+l§#l5322<J: VWt4"fL>X 
*>73211£, h«HI?£fi8#«327J:yf§fcx 
h«gy«212£» i3ESiJxSS1f#IS328A«i: y If fcfg 

— **328b£ LTjUax— */Vy->a#IS328G'4U : !S£E 
^3S#l&328FlCiil« 0 

[0 10 0] ffi^5 ; -^/\-yv'i#S328C(*. x— £8B 
328b-CttT*/V;/->:i«Bh£ff&oT\ *SJg©/Vy-> 

BHi#lft328Ett. +>■- / f ftiUUBS#ft328D&£?- / * 
«5ISI328d£t#Z\ Ctl^^micm^TJ \ v •/ a <I32 
8c^Bg^bLTx > >>-b- >?BBE3- K328e£ LTKliE 
?-a^lft328FlcJS5c BSE?il<S#S328F(i, x— ? 
gB328btC^< •>-b-v ; igSE3- K328e^JlgLTs KSx 
^-•y hx-^3213^{!37D-r-So 

[0 10 1] KliE?«liiE#ia333T'tt, ^-T. IS 

SEx-ir-y hx— 5»3301*i«igIiEx»8l#S333AlcA73* 
tls y£ t-yUBE3- K'333ai:x— 5?gB333bttc»ISi 

— >gB333bttm 2 CDjUgx-^/ \-y -> D.^mmRVr 
— S'»Bt^lft333ElC^-tl ; rn2ietl*. Sl20SiiSx- 
^/ \ y -> a#IS333B«. x-^gBSSSblcWr*/ \ >y -> i 
SH» h^nti-oT. KSmo/ \ v is d. fit333c£ M 2 <D^5i 
S^iCBf^SSSSDlciSS,, SB2©»ii8t:£itBg^#a 
333Dti, S 2 ©f -/^ji8fBra#l$333Cfr6-y- 
ilS333d«|f T» Ctl^Bg^Slcffl^T/ Vy ~s i<I333c 
^Bg^fbLTv itRffly-ytr-i>KEa- K333e<!:LT 
J±»#S333GtCiS5„ x— S»»g|#|ft333Eti, x— 
333b£*-r/»;*$V 7*3302 <!: y — / \-KgiJ-?3303 1 x ^ -y 
h ^g"J?3305 i: \ -y -> a fi!3306 1 ^«J0St33O7 i « 
It#^SUx3308 i:tc»SILTai73-r«<i:i: i tlc, 5§*t# 
Sg|J^3308^J:r^^.^Tttll^T#algU ; ?SS$#S333F^ct,S 

BBE-y— / womifrfrii o &*m& u p.s^iem333f 

«-ib«#S333GlCig5o ib«#IS333Gtt. Ba^j@^33 3 f 
tf— a%^r*\ y y-t-^BHa- K333aitkRffly 
•yfe-yBEn-K333e<!:^— Sfe-r^A^tttc^aEie 
«3304«ai73-r-5o «IEeS3304#!igyjg;U^-r© 

[0 10 2] :*tc. 05rom4OHSfiJB^<DBEE->Xx 
^icfct^Tx BSE-xd: LZf-y^iVm^mi^tzm-BOi 
BSE^»0#S328St;BiiE^«liE#K333O«fi£SU:i(j 
fPlCO^T. EI9SO : ll1 0^#RSLTlKB^-r*. 09 
Kfcl^TE) 7tmiSZ>Olt. *f- /\"^il8IIBtS#S3280 

su r «Jia^5CBg^#S328Eof*^ y tc, Bii-y- / <32 

^#S328H«ia(t feme & a steffiSIB1S#S328G <t 
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328H£ L,Tl*> MXim^T ll>3>J XA£Sl*&A,/c;it 

[0 10 3] 01 Ol=*5l/>T08,>;gfc£CD«\ 

m2W-/«iiglIB«#ia333C m2(Dtt>l@^Bi 

BE+T- /\*^S31©liB8^+f-/^SiJ?t»l5^tT 
1 o«±S«r«^-/\*4iBISga#l9:333HRt/iiBia 
* ^Bf^<0«^iaa*?7^ 5 iiMStTs 5Ca^#lft333 J £ 

8teWf&333Htt, ISSE^-/^lft32<D^«:6-riSpr-t 

-/VAmmmm^mmtLTit* ^yigatf 

ii^a^^#®333Jt LTtt> flJ*.tf«W;Udry 

Xix^iSi^^/ufcjiiSiaiKS fciiimusms -t: -y 

Pja73^Bf^#S328HlCfcnt«Bi#7 , ;Hf 'J XAKttfS 

5&fc\ ±fB&#8^f ^ppvei- fztcimm^ 

> fcfa— * ±0) n > fcf a — * yp ^5 /x^ffl LT0S3t 
lxy«gfigfcJ&az>:/py7A&S®&W=S3«lU ^p^ 

[0 10 4] W±©£dl=tg/ffi;*ftfcBE^ttl)Q*&32 
8S^J : i2K?«^liE#la:333o^i!Ift^c•p^,^Tl^^^■rs„ SEE 

?«*D#ia:328T't±v SH9J?G1t?Wt328/U x— £51 
S#S328B, «S7->/\f > a#«328C«>ttm*H 7 
©«&tl^«T»y, 7-48328btfBIE7&IS#8t32 

@lBii#«328GfrSgite&@328f:&*#T\ C*l£B§^SI 
(Cffl^T/\-y->afil328cSBg^bLT, xv>*/l>»&32 

8Ftt, 7 i -2^328bl=7^*/l';&S328g£>i!StLT. B 
SE^-y hf- 5'3213«m73-T*. 

[0 10 5] 3: ft. KBE?«aE#a333T*t*. **\ B 
SE^-y h 7^— 5< 3301 ^|gli?»S?l#S333A(C A7J * 
♦U 7*S>4JU*«333g&7*-*W33b&lC#B;!rtU x 

333b Wm 2 OilSt t 1 - #l8333B&r/x - * ft 

*#a333Ete«i?*iiBs*i*. nioymfeT-z/vy 

-> i #833361*. x— S» SB333bl=*tr */ \ -y -> a jSSg h 
SfiS \ -y -> ifi!333h€-ik®#l9:333GlCja6 
*. 5*-*5Ml#«333EI*» =r— >gB333b«^<ix7.-S« 
V 73302 £ +f -/ «S"J?3303 tfryh KBI73305 1 & 
W \ -y -> a {13306 <t ^J»l2lSi[3307<t: fifr#^giJ?3308t 
KttSt LTtti^-r^ i: £ *>(=. 9Ht*K8!I?3308(coi> 



/t4JHasa#S333H(Ct.2l*o »- /tfiMI 
*Ht¥R333H& »?T#g6SU ; ?3308^ei«]<OBiI+*— / \* 
31 (*ftttBRT*T- /\*32) ©affi"J?6^56^5SIHd 

#Bffl!ff 3308lC»arT \*^B8®333j *&H8££ 

ffl^#®333Jl=2£*„ 

[0 10 6] 4iHa*iC«##lft333i«, 1r-/<4iBiffl 
333j^m^©lCffl^Txi>^;Ua*333g^#{bLTs 
lUftJi/Vy *>a<l333k& LTJ±«#lft333Gt=ig£ 0 J£R 
#833361*. Rg^S333i««— Sfc^f*\ /Vy->a<I 
333hi:J±®ffl/ \ V 5/a«333k & tf-gtT«&Sfc£ 1=1* 

SBe*3304*ffi^j-r mat JK3304tf m y % L*svr 

[0 10 7] C0)<fc-5l=. KSE-VX^A^COHSfiJBJS 
©IU££i$*c:£t=«fc y„ 9^-<T> hflMm-mom 

[0108] (» 5 ©Hfl&OJfcSg) tt 5 ©§£fifcH58ST* 
tt. £3eJt^ttQBfEi'X7 1 litc£U-«R{tttttii 

«#dt*ti*l6tT-r**#ao^a -y ^^gfi)t^=o^,^T 

[0 1 0 9] 01 1 l*m5<DSIiSJB®lC*JW-*BSE->* 
fi>©7Phajl'S,Tt7P HliU->— {rVXHTJB 
5. 01 1lCSt>TH4i:g&5fl)tt, 3.— +f'T>^7 

SSSE+r-/ ^mit TSoT, BrTIt- / \*#f833tt£fc> 
y^ftts S/i:^ BiiE i ? : -t'UVv , *lSS : Response401*^a. 
— tf-r>-Sf7i-X*7>LTA^»S-tlfc/\°7.'7- KP W 

taistR0i:oisic«Lri e©/ \ -y -> ^ -as h *ss 

Ltd^mt.^^^ T-y H#®41««»ffiHl=*fiKLfcBBE 

ffla,asot©sffsw?iSs?pism (ib# r@j «^f6^ 

WBBaW*ST) ^.tt^^jS. Bif^f hTicket 
402, 403tf <t t * 5 / \ y -> a ailOSJIltfB&ffiaJK s 0 
l=*rr* nS<D/\-y 5/a3WWgJRT**ja» BrI^-V U 
V ->*fSSResponse404jbS tt4?Ayi/i StmtS^B 
SEfflSias 0 (CttT « n - k S<D/\-y ->o.jilST'*«)S 

[011 o] «±o*3ftyp f-3/l/->-y>XlC«fc 
•J, h#IS41«/\'A'7- KPW«BRlt7-M 

#lft33*#46/-cSH#lC^-rc:t4<, n|I|$-Z?BBE 
^^■•y h402«ffifflLTf'J^B5I«#«c:i^T*. B 
BE^^r-y h402*V\"xr7- KP WtcMOMROASTSS 
'FiE«:m=«l=J:*/\°X'7- KPW*S5fefci6© 
i*S3<fSll=T6S6r. £»Jfi£tttf>l.\ 

[0 111] ctO^^^^al-zjil/iy-^vx^Jt^B 
Ii->7.7 1 IkO5«lB8l=-P^T0 1 2 <d«SbE-?p -y ^0*# 

[0 112] 01 2iz3$^-Z ! &W5tg1iZ><Oit* =L- 

BE*ffa9BB»-/«*«42T*-3T. BW-/<* 



(18) 



&M2 000-2 2 2 3 60 



kfy h«0BBBB9BnBB*f?ttdBi 4>BttttBB 
«#B412*KW\ ^4>BB*tt«fcjA(z:&*. £ 
fc, BBE*- /t#B42tt:£(^TB 5 <DKE+>— / *#«32 
taSSOtt, B 2 V>i/:i#«325* ise*s-& 
#©3264>«;b y (C % Sftft H fctrfc 3S2(7)/\ 

y>a#«421, hf* hSOSMfittlSa«3l»^T*-5 
W2 0»MftftB«ai#«422, 4*Stifc«tt<D/\y5/ 
a ftff H £frfc 5S2^g/\-r>i #«423«8W\ 

— aB©is»«a»ftjfttc**. iSE^aa^jffi#©4ii 
tLTit. «*«faa*«7 T ;udryxix*«*aA/«ai 

*£flH»BT**. IK B24>*mflUI9BRm4l 

2, 422<tLTt*. mxmiMBmiMm?**. mio 

/ \ .y 5/ a #©421 <t LTte. «5t tf / \ v -> a Bg H c^T 7 
*«/\* va#©423<5: LTl*, MX.I£421&n&0>BB 

con V fcfa - # ^5Z**«£E LTt>fil\> 
S^tMi^uvfcfa-^^n^AJ&RWypTfigftJB 
5ST7py5AEB««MclBBU ^py^/xBBBf* 
R*y«B4:«^*>*fe«aiCcfeySI3|ILTtfiL\ 

[oi 1 3] tx±cocfc 3 \zmj&axrcvm.^x=rLK<r>m 

ftlc^TBl 3»BLfttfSWI5T*. CCTIi, 
BESgtAuthenticate Request301#BEf^y 

01a n ^ <h t, & 5 iz -o x^xmmt 

[0 114] g:-T> ^5<7 7 >h#®41SZJfgiE+t— A 
#«42lCj5l^7\ Bl. fg2<3jSS<i#g8311. 321, A 
*J#©312, h«Jt#©314, «lJIiiiK#g315. 

iBEt§58§ffi#©323, SLA£jC¥ft3244>flMMiB5« 
H60«ftiH*7Sy, I3ES*Authenticate Reque 
stSOI&tf&E** U>S>Chal lenge302#3*ft*ftT. 
l^'tTy h#S4HCfcC>T«a--9 t BliEffl31fi|jKi*Q 

4101 Kftu:nBBqr#nBiBin3io4tf . be*-/ *# 

©42^C^t^T«WaIaa4201<h^-/\^U^3203<^/\ o Z 
7- K32(M4:«BB*»»4202£** l/V ^SA3206 1 
SWSti*. JWEU a-VBEMBSIftBfiMloitfn 
§BA*)#®312. BEBaA£J5K#K411srfBlO«Mt& 
WBS»#«412lCi8S;h.*j£u «»HSt4201tfB2fl!) 
*«/ \ v > a #©423&tf BE^ttAQ#©328lc£ 6 *l* 
j£u «B«*iffl4202tfB2(D/Vy5/:i#«421. SLSt 
£fS#©324&tf*>r'y hBM*£tf#«327lc»Sti* 
j£u * -V L> > S?&R3206tf B 2 O/ \ v */ =l #15421 
6 tl* 1 1 «, KB 2 OS§fI#©321 £rt LT * 5 -f T 7 

> H#«4uciS6tisjis^Baao 

[0 115] ^^-f7 7 VH#lft4Hi:fct>T. BGE 



fflajs^ja#«4n», o.-ifBE)asBKian4ioi# 

4*6tt*<!:, EES*E^tf:ffl^Sft*BEESL»41 

Bsn#»4i2&UBBEtt#»3i6(;:£* cst4 i o 

1 ) o ttetsif #fB3i6ii* mwm&mm&ummiz 

KBLTBTSaT^-teXfl)*. Tftfe-Si-tfBEWB 
(C£(t%aUEIRSVHBBRr#B(c£^%9B<)»W 
ST* (S T 4 1 0 2) o B 1 4>«ttttBSft#&412 
tt. a--tfBEfflBfi»a«I4lOl3!?^*sn*t, ny 
i/ a#S313cfc y ?f fc/ \ * 5/ :i^4103 £1SEJBSL3£4102 

toBTt:^ bm(oiimtommmmn*fit*i\ tsmt 

LT»6tlft«SL/\y->i«4104*Bl 0)&gfl#©31 
1*^LTBIft b> v ? U&S : Response401 <h LTISE+J" 
-/^«42icai« (ST 4 1 0 3, ST4 1 0 4) . 
[0 116] Cftfc»LTKE+f-A#K42U:*>^T 
ISEf 1 ^ U>^JESResponse401ttB2 0>2SefB# 
«321TBB;**U «a/W>a«4204tPBa*ftTB 
2 0BftttBSffi#tt422tC£6tl£ (S T 4 2 0 

2) o — *TB20)/\yv/a#S421tt, BBBfRiiKM 
202#Wy *«TB$te, /tZ"7- K3204&?* UVv> 
SLtt3206£G>iMStc» L/\7->2»J|H £?t% o B 

\ v •> iB4203*B 2 Og^ttBBffi#&422(Ctt 
*SLTt>^ (ST42 0 1) e S20SMftWSSSW#S 
422ti> B 2 \ v */ zl #©421 <fe y if fc/ \ -y 5/ aB4203 
<hJtSL/ \ *> a«4204tOMT*kr y KftCDg^KlBSW 
B»*ffftt\ ^m<hLTi#6tl/i:ISE^iL»4205^m 
2 0>M/\^S/a#B423ls:B* (ST4 2 0 3) . B 
2 \ y ->a#©423ti. iigEfflgLa4205lC» 

»BB420lBBO)BKa>/\-yi/aBBH*fTft?T. B 
m<D&W \ v zs affl4206*BE?ftrin#B328(CB« 
(ST4204) o 

[0 117] J^T. hB8'J^«*B327, BE 

ft^#©322, BE?ttiD#«328<DftffittlB4, (3 5<7) 
BftiBB-p**^ ^^r'y FB»J?*B#«327tfB 
ftBB3209©f«toy (cttBBBa»4202«Bt^^ B 
E^flD#S328)b^«lIs]a3202SrJ : ^©/ \ y is nfil321 
0(D«t) y (cW»[H]iS420 1 \ -> afii4206€ffl 

l^jS^a&y, ISE^^r'y hx-^3213<htiM75:^rt 
S^iSE^^r y h 7 :r -^4207*M#6tl ( S T 4 2 0 
5) , B2<D3SS«#©321^LTBE^^y hTicke 
t402<>: LT^^YT'V h#©4UC&6*l*o 

[0 118] CtXtCWLT^^-r^V h#»4HCfc^T 
i&EB 1 <&aig«#«3n, BB^y h«*§#©3 
14#B5, B60>«d&RIB(clM^U HBBrT^MDB 
8K13Ea31043b^K.6tlfc»^tC. BEf^y hTicket40 
3^HgpJg*Author i ze Request i: <!: fc luBpr-ft- y 
33tcSe tl> ^5»[Hl»31 126>*©/ \ y a#©317tC« 

[01 19] cntcwr^igpi+f-/^#©33o»^ig 

5, H6©«SiB«T'8y, KRT^bV^Challeng 



(19) 



000-222360 



[0 12 0] cniC*tLT'5'5-r7 7 >K#S41(c33^T 
it. 8ulBmiroig§{l#IS311. ^S/\ y->a^l9:317jb< 

E5, m6(om-g;tw}micMY?Tz<, tctzL. mm® 

IBti^f8316J: y ^££OttBliEfflSLS){4105T£ V (ST 
4 10 5) . CtUCtt LT&g6MT&fo*l£o f&to 
■6« ^SM-y->3.#S3176^WJ»lHl»3n2i:fiJffl|s]a3n 

(ST4 1 06) . i^mo^©/\-yv'affl4106^S|1 © 
5g§{i#K31l£fl- LTKoT^ + U> v>'rSSResponse404 
tLTBpJ-y— /<;#l833lCiiSa (ST4 1 0 7) o 

[0 12 1] C*llc«J:t)igPl-9--/S'#|ft336Mf*Sgpr^ 
•V U- > v>'f5SResponse404# <h & "3 \'y>jl, 
WB& *T"J hTi cket403tf £: *>S -5 \ ■> ->o.ffltt. 
E5, E60Jf$<!:«/\-yv'a«&* , :s%^CD*T$ 

*l[c*tr*BU*- /<#«33©BfW.B5» EI6<Dll£ 
«kPI«T<fc<. 2O£0^S/\-y->ifiBcDBa#^x-y^ 
LT, IEMi<hBto*i«B^iI»Result308tfjg3-+u 2 

'J, t'y^TS Y^mvWW— KPW*BrT9— 
#S33^gi&fi:lg=#tcB^6v-r C «!: < % 6^/ (79- 
KPWi:t*fi|^T"e^140<i:yS^SgiI^'5-y M02 

LT n EI£Tf!]fflBpJ^#3 Z t&TZZ. 
[0 12 2] JJ(±<0iJi^T«^5'r7 7 Vh#ia41 

iz&^Tmmv8.*jmm(Drcmz$m/ \ -y -> afii^tm-r 

03*18:/ \ -y -> affi^Wftttt* LT*»ffifE18#S316(ciB 
li-r^Sfigi LT*>Ml,\ *C0i§^ 8HBIB«#Mi8316 
£: LT<fc y *gS©it* * y t/W»«M 

«b# S3t>4>4>, *jfflB^#iffici©«yiii§ia : &<t: y 

[0 12 3] C<0«fc-5{<:. BH->xyi»ii«COW»B» 

©* c fc ic * y . ^^'T7 7 >h « # h-bobb 

730fi^BT'*oTt. £JBtttt$QSB*nT¥JBBRr 
tt**fifc3C&#3IttU:tt*. ggll^-y hie 

**n*B#«wffa-tfBliE1t«£B«fl»ca:*fc 

t£tf»K£y, «fc y SStt«>Kb\ ->V^;U+f-fV*> 
S<DBSE75 XtfBBE > X x A tfW 5 ti * . 

[0124] (m 6 nmrnomm) m 6 cDHjgBttoB 

[0 12 5] H14ht. CiroigiiEi/T.xixCD^P ha;U 
£;jVryQ -r>7.ElT*5o EI1 4lCfcl/>T 

#S53T«cT, BB+t-M'#K32li£:by#fcl\ £ 
tc. BrT+J— /«3A>6<75-<7 , > h#H5UC» BpHISD 
Resu 1 1308«»: i: t (cK«r**ifcBH^^ » Hi cket501# 



[0 12 6] CcDISIiE^-y h-Ticket501tt. ISIiE^>>- 
•y h305lCik^T, ^©jS^ffiSLTt^o 
[0 12 7] ffll-6. BSE^'ir-y h305T'CDn + 1 S/\-y 

-sD.mntemh\ n-k + is/x-yi/ijus^ (kw 

fOTElK) tcH*&*.S*lTl,^ 0 BfE**v H305T 
OW55!)[H]»n*\ «y5f«JfflRltglH]8fcn-ktcS$SS^e 

7TS k[C«*»a.S*l7V*. Bfr«HSy?| I Dtf 
BRT»-/tt3a#*5\T-y--/TOmc«**jtSftT 

ssic* srfc&BB?#ttJin;*-ftTi>*. 
[0128] cosaaciu. ^-frvh^&su*. 

/\°X-7- KP WSBH-y— /«#«53*a»fcII=#[c« 
frTCtfc^ n[a]$TBSE^'7--y h304-¥>S»r**i/i: 
BSE* <r y K 501 fcfigJI L TflJfflBRl^ii. C i: #T*^ 

n*fc#?r»»!iE£j;yss<ia;rr**. *<Df=a6. * 
mr*m=m!,z «t «&sg*tgi(cfc y 3 zmrsttm < % y . 

cfcyS^ttflWlV $fc. B5It»—/^iS53lC33^«/\ 

•y ->ajs»#;i &z*m^tztt>. *m§8.°]mmc3sitz > i& 

[0 12 9] CCD^a^^a hzl/Uv—^VT.^OB 

[0 13 0] EH5Kfcl^T\ EI5tS%^<Dti, 
-TT'V h#S51RO : Bo]-y-/\-#S53T«y. SB*- 

fc^TI2]5CD^7-t'7 7 >h#S31i:S^:5<D«v ^-{r-> 
h«*f#S5116 ,; BBr+>—/^#l8:53^eoBiiE9 l '>--y H 
icket501OBSE^'7--y hf-# 5101t,Sfrr^ *<fc 
L/c;SlC«5o BRl-y-M*#|ft53JCfcl^l21 5 <D 

BpJ+f-A#S33i:S&2.<Dti, ^y hfiJfflgS^S 
5316'«5$yfiJ«ortgl2]»^ i tai73-r.5t»0<!:Ls S3(D 
£187 \ -y -> a #!8336<Dtt:b y 1 &£>/ \7->iSSH 
m?S3W\7 v/i#|ft532^iaitx Bil^^-y h 
IZMT SBSE^^Sfig LTWfiPT 5^ 2 <DBEE^f>ffin# 
!8533£»TfclCiaW\ — gpcDSllg^iifcjSlc^^,, 
[0 13 1] cco^^r-y h«J##a511<t:LTt*. ^-7" 
•y h«J##!8314i:lRl«©«fi»*i«ie«l*>il)DLT«fflT 

fflWS#S335i:ID«l (D^fiEA^lig^iiDD LTfilfflT'* 
m3«D/\-y->n#l8:532t LT(i. «U^(#/\-y ->a 

S2<DBSE : f«)!lD#f8:533t LT«, K^tflf 
I8328i:^l«©«fi£6 , ;fi6fflr$5„ ±IBS#S^ 
"7 -f □ a V fcf a. -• 9 * fctt;/lffl a > tf a — 5? ±<0 n V 

tt^zi > fcfa — 9 7 □ f^WZtim y oT|g35:fi>iCT'7 
□ 75AtB«i<«f*H:lB^L, 7P75Z^IBIS«<*i%H2y 
t ffl^#^-tt/i:«J5E(c ^ y H^l L T t. S t>» 



(20) 



15IS2000-2 22 3 60 



[0 13 2] lZ±(D£olzm&Z1xrcVmz/XTLK<DW) 

f8liES^Authenticate Request30WBE^'y hW#J 

[0 13 3] g=t\ ?5^>h#851&tfBIiE*-/\* 
#«32lC»tS»fl5«B15, H60»$tRI*T\ a- 
VBBMtffrttfotiTBKttlctt* BE*-/t#«32 
*y*5-fy> h¥«5T\BE**"y hTicket304tf£ 
6*i£o 

[0 13 4] CftU:ttLT?^<7 7 Vh#S51tC&M/>T 
l*> Xia»S9A#lB311UcB5. H6<Di§$£|?HJMC 

*v h«*#«314£BIIHciM*U BE*** hTicke 
t305tf BRl^Author i ze Request <»: £ ICBeTtf- / * 

»HB31123B«WlUS*l*«/\y->a*«317(ca65ti 

[0 13 5] /^«53lCfctNT 
1*. B3 0BM9B331. |gRlH-B§#a332. BCE7tt 
H#B333aif ? ^T7h «8Haj£#B334»B 5.06?) 
Bfr&BtlKIMEU hBH?3305&*ft/\?-> 
a {13306 <h W«I l2ia3307 £ Bff«BMT3308 tf^7 h 
WttBSI33i<>fc***-* hWS»W«53Uc«aST 

h«JBWl#«531tt* 05, E)64>i§£(7> 
^y*y KWfflWl#«3354:K»BWiciM*LT* *M 
@3$5301 *m 3 <3&gfI#IS331 LTBqJ* 
SJChal Ienge306<!: LT*5-f 7> h#«51Kay % £K 
/ Vy 5/ afl3306£*O£ \ -y i/ afil5302 <h LTB 
RlB$#S337lc5S*ft\ *Slc*^y hBS!l?&BU 
MS RJIBBBt W8y?O»5303*ffl* ITS20 
BETWttff«533lcaS*. 

[0136] cmcMr^^^-fzvh^asioKrf^t, 

B5« H60»dtra«T*y, BRl^-f UWChalle 
nge306lC^LTIS^^^UVv ? JSS : Response307^>g^ 

[0 13 7] C*lJcMLTBpr*-/^«53(cJ5^T 
tt, KrJ* tU> S>JSSResponse307ttS 3 GD&S{f# 
«331T>S«**U *«y\y5/a«53044i«UttS**lTB 
3 <D/ \ #«532StfB 2 4)BE*fittD#«533U:aS 
6*l£o !&3CD/Vy i/a#ia532(i, Vy ->:iffl530 

4lC/ Vy $/ a SB H £fr£ o T\ /\7*>i Olftfttf 1 1f 
*/c-**«/Ny5/affl5305*BRT!H^«337ica* 

(ST5 3 0 1) o BRTBd#«337B, 
{15302 <h Zl \ y a fil5305 £ £>— SMaj££*T& I/* 

(ST5 3 0 2. ST 3 3 1 6) . BdBJR5307«M 2 
©BE? f*in#«533lC2£ * o 

[0 13 8] Bmt«#A322H3E&am«WLTS . 
•J* 3ia^SiJ(CS^<^-<AX^Vy5306^S2<3[)ig|I 
WflD#«533^«tteLTt^«. » 2 4>BE?ttttl#K5 

33t*. ^7 hmi*t*vwmmv®m£v-siMm 



?<Dmsm £ $m \ y z/ a (15304 <k £ X * V 75306 

<LB^+f-/\^53g#^m-r^?f#^so : ?<i:^ajeL. c 

♦llcJ»LTBaE?*^aLTfiHJOLTBBE^^y h^- 
*5308<hL (ST5 3 0 3) , % 3 OSfS«^lft331^ 
^ LTSE*^ *y hTi cketSOl £ LTBpJiiSQResu 1 1308 
4:i i kU:?5>f7 , > h#&51tc£« (ST 5 3 04) „ 

[0 13 9] CftKWLT^*7 7 >h#fft5UC&n,>T 
it. BE*** hTicket501»i»10)2ISfl#«311T*5 
(1**1. BE*** hx-*510l£LTiiuIB**"-y h« 
»#«51UCiSS*l«}#**lT (ST510K ST 5 
10 2). XBaffUBBRT^NITICB^ti*. 

[0 14 0] C*UC«fcy *5-r7*> b#IS51fr6I2pj* 
-/t9B53(C3X&*l«BE?4-*y h305tf<fcfcft5£® 
/\?->:i«U* TOBBflVJBBRTC&lciroB^T 
S<<DT% BRT"t-/^#l9:53T*«/\*yS/aSStt1 SOD 

cmwBtfflW?**. «fc. 

^*V^E*f**i*fta6*»HHB*7 F ^-bXa>BB» 

£o <75*7> h#«31tt/«X , 7- K 

P W^BrJ*- / C#B53C«tt AB=*(CB»r 
<, ft£tt0>*yBl^BE*** h305*fiEfflLTnS 
ST* y H^SSSWBTWBBrISW^C 
[0141] «±©KW-W**5-r7*V h#«51 

icfci^TMSB^JiBOfctrtc*®/ \ *y i/affl^i+St 

a>*«/\y>a«**ttH-»LT«*E«#«3l6l!:E 
LT<fe*l\ ^cDii^ s «lffiIBffi#S316 

tLTcfey^McDiH^v/^ttyty f/«^x^^« 

[0 14 2] C(7)cfc5tc % *£tt4>fl3B4>BEi';i?£t 
Tti, B=#lcj:*^iEfleB©RrB11**y^*<T t 
M«BRT©««B9B*H«r*Ctfl«T* 

[0143] (» 7 ^HJSOBJg) K 7 ontiBKDB 
Ei/X^tt, htffltOBW- /«C«L 

[0 14 4] 01714, c^iSEi/Xx^coyp ha;b 

B4£Mtt«4)tt* ❖^<7 T Vh#IB:61. BE*- 
«62, BpT*-A#I9:63T*«oT. *6lcBE^^y h 

Response303*SW-fcBE"9— /^#S62#BEB*Authe 
nticate Request301^5»tBLfc^^y KB»J?T I D 

^<r»y h«ffa«JB*Registration601*BE^y h 
§S#lft64^\jS^^. BpJS^Authorize Request602tf 
fUfflEHRkSrtfcfc^jSL BRlS^Author ize Request6 
02»tfBE^^y Hicket305*S^fcBRl*-/^«6 
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3tffgprgsRAuthorize Request602SU : g81iE^'!r > v K305 
ftZmttiLtcl-'r-y h^gy^T I D t+t- M'fSS'J^S I 
D < fcfUJB®»k££<hfcfcofcI8iiE*'7--y hlllilg 
*Update603*fKSE^<>-y h'gSfM^'NSSjSL Ctl 
lC«LT*«lcl5CTiSiiE^'>- y hJ§*6il«Reject606 
ftm-$ti2>&, ISr!^* U> v>Chal Ienge6043b^jffl[2ia 

iSRl^-V U>v ; l5S : ftesponse60S^/\°^7- K 
P WtgLSR 0 £©iUgU:*tLT n - k + 1 «©/ Vy -> 

[0 145] CO^aiC^U, ? 5 'TT'Vh #8611*. 

frfc:<!:fc<s nEJSTiSIiE^ y h304£tefl§LTfU 
ffl&eJ^f^dttfT'^ fU^[Hak*^7l'7 , Vh# 
1861 ibSSo TKrI^-/ ^f863i ttlSfi LTzWSLl-'r 
•y KgS#lft64T^i-y^-r^rc46s KSE*$-y h304 
**tS*<D&5J+*— /\#S63T*«iltcf'JfflpISg«!:-r« C <b 

[0 14 6] C©yn hn;U->-'!r>X^OiSSE->7. 

1, !SiiE+t-/\-#l9:62, &lf|gpI^-/\'#lft63T'a5^ 
T, *6lCl8K^'y h^3#lft64£&liOLTl^o 1? 

!ft31<Lg£*<m;Ju KfiE^'y h .hi:*, lc* 

©fijffllsja k^lSf 5^^-y h«Jfgg#S611£* 
*y h«*##83i4<Dft:byu:f9tt. t'-y 
iSafQ3l»^^3&7m I <D8M&WSa3fO#I8612£i8 

S62lCfcf>TI2l 5 ©fgfiE+f- A#lft32<!:g& IS 
EE^-y hSt*rMSJi^T r -* : &£/?)6-r5*'7--y hBfll 

[0 14 7] £tc. fgpT^-/^lft63lCte^TEI5<Dii8 
pJtJ— /\"#IS33i:S35:5a)tt, iSSE^-y h<D^*-y h 

mi* t t&hm&t a y f us Risgisi»«S3x o x&mz 
m&f^tt^zmsL^Ty hmwm.mtiTri'T— 

misomt, y icisit, f 'jfflKRiSQSsicsLa^i sg-r 
5S2 a>fl.a±/d6#8632, tr -y h s<o«tfawisa?P3i 

S*«fc?m2<D8Mtel*)S£3IfQ#fa633£ifttf\ — BP© 

[0 148] Z\o>*>r-v h«Jf^S#^611i:LT(is 
*$-y h«}f#lft335i:[lI«l£0«fi)6lc#Uffl|5]a<Dttm^ 

vmimm^mmtLTte. mast 

fSSSBtfteET-^*. *$--y hM«fr^#IS631tL 
S632i LTti, SL»^fi2#ifi324<!:|5)«l^«fi)66^fflT 



^y^v^xtcoiia^-yrit^ysfiXT'^?.. ±sb 

7 -f V a □ > e j. — 9 3: ti ;/U8 □ V fc° a — * 

t\ ^suHi^-rouvei-^T'p^yA.^KroysiBg 

[0 14 9] W±W<t:-5tc^5-nftl8iiEv'X7 i A0DSl 
iSSEgSRAuthenticate RequestSOItfSgfiE^-y -y 

man ^tts^ii^co^Tiasfl-ri). 

[0 15 0] 8ff\ O.— 9 £ SgSE#l©lcfc^^'5'5'f7'V 
h#S61RO : igE^-/\-#|ft62lCfcH+5,fi)fP(*El 5 . H 

6 <D^t sif mmz% mmt*>izavs.8iv—j \"#S62«j: 

y ❖5-C7 T V h^lfteTMSSiE^-ir-y Hicket3046 , :iSe 

Zor+'y h«^#S314<Dli!H^*^'7--y h«^©S# 
©611 tffjfc -Po «fcKSE-y— /<#S:62ltfc^T»3:, K 
SEg^Authenticate Request301ft^61xaj?tl/i:^S(jIs] 
»6201 (i^S/ \ -> a #S325Sl/iSSE^00#IS328© 
IJft^'T-y hS®JI^#IS62Hct)ll6n, +>— /«S!J 
•?6202t*|gaE^J)I]#&328©B*^>r-y hS*iftf!i*# 
IS621tCtijSetl. ^^-y hlESiJ^BX^©327T'^Bl63- 
tl/c^y y hffiSU^6203(*ii8iI^JlD#S32805e6^ 
^•y KSSSJi^^nctiSetx^o 

[0151] =?-T-y bmrnm^mmt. hffit 

SU?6203 £ +>— / qB8'J?6202 <t ^3»[H]a6201 «!: L 
TSgiiE^^'y KSfrSiilJg/T;^— S»6204^SfigL, 
OSS«¥IS321^^LTiSiIf : '7-y h^TSSIJi^Reg 
istration601<tLTiSiiE^<!r-y h 1S#IS64lcS5 (S 
T 6 2 0 1 ) . Ctl^gW-fciSIiE^-y h^S#S64« 
^•yh'JXh^flLTS'J, ISiiE^^-y K^tSS 
Ji^Registration601^x6tl/-c^(C =f->r-v 
S'J^rat^T^^-y h 'J X h^fSsSLTetlcggS-ft 
TU^A^WB^*. tK^-T^tcDAWtti^^'y hiS 

S'j?<!:w«!iiiiai:^iy fUfflpiggiHia^-rfiii ltww 
saisii$<Dsa^^^-y h y x htciifinLiBurs., 

[0 15 2] Z\tllZttLT? ; ?<fT> \~^f&6MZt$^T 
It. BKf<r7 hTicket304«SlW2l§(i#a311T*S 
(1**1, ISIi^'lr y hf- S'3110^attil**vT^'>->y H 

^ss^iaeiHcisisn-s,, ^>y h«jf§a#ift6ii 

«K§E^^ -y h x— 5» 31 10«-9— / ttagy^3101 

^yf'JfflpItgIll»i:LTPIB$lC'gSL (ST610 
1 ) . fl)ffil85J#Jlieibii«1610lA^^etlfcii^tC, 
IgiE^'ir-y hx-*3m«|1©as«*«311*rtL 
TKIiE9 : '7--y hTicket30StLT, $fc, ?SyfiJfflpJfig 
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»*63KCt*cj:y»/£«fl|EI»6102* (ST6 1 0 
2) »1oaSB«#«311*^LTBRlB«Authori2e R 
equest602<S: LT> BpT**-/ *#®63iC2i *J (ST6 1 

0 3) . ^etc. be**-* hx-^ssffiLfrfra 

0&31 12££K; \ -y 5/ a #!5317tc&* 0 

[0 15 3] /^«63lCfcLNT 
li. SE^-y Kicket305&tfB^^uthor ize Req 
uest602teSg 3 <Di£S«#«331Tg«;r*U BE** *y 
h *-*3301tf SXaj£ftTBE^E#&333lc&6 

1lc&6ft£ (S T 6 3 0 1 ) o BRjftB5#a332, BSE 
: ?*£E#K333&tj : *>r y h «S&¥!JC#»334ttB 5 , B 
6©«$fc««m*ls:HlttU fctfU V-/«B5y«3 
02«^^-y h«aWS#«3340)«^^^y hSfftt/T 
#H631(C«£6tu 1WBM6303tt**y h^Stf!^ 
#l563lSl/S2 0SL»*«#lft632lca6ft^o 
hEKfl»tNK31tt, «Ki»6303^*6ft*t, 
**'y hBB'J»3305t*-/«W?6302iWBB»6301 
£*WSLTBE**'y hBKBflrJSjRx-^SMtS 
J56U f&3<ttSgfI#8331£^LTBE**'y h/gfil 
E*r*B5*Update603£ LTBE**<y h«B#«64lciiS 
* (ST6 3 0 2) HffiBK63O1«*0)££ 
*UfflS»6306t LTm3<D*8vvy~>a#g8:336'\& 
£<> BE**'y h«a#«64tt. BE**>y hBBESr 
Jg;*Update603tf^jl6ft/ci§<&lc % **<y hBM?ft 

sriitf, »isr*»yfUfflprfiEiai»*srffltBii^ 

**y h^SMSS^Update603^<h J t>^:5jpJ^[sll»<i:<D 

h y x h *<d« y he qnesik^at-rfl* i at je l 

<ft«-ft«BBE^^y h*§&jifcReject606£2iyig 
-T. BIiE**'y h*E«aB«1606ttBRj-9— /\*#lft63(Cfc 
l/>7\ «3<D5Sgfi#IS331*^LTBfiE^y hffi» 
ii&x-*6305£LTi!ijfa**'y hEffiWSt¥fiM31K: 
&6ft£ 0 **y hBRfK5%¥HK31tt« ^Syvyi/a 
ffi3306£^<D $ $ \ *y •> a {13312 i: LTBrTR8o'# 
IS337tC2S*2>\ BE***y hJBS&i&x-*6305tf.£ 
*Sft*£Cft«QlitT*. K2 0>ajk£ffi^«632 

W^il5ai6303^^6ft^<i:, x-^fiiSlECD** 
U> ^Sl&6307£#r/clc-5 >£\Mc£/3c LTB 2 £>SM6 
ttttaft#B633(c&*&&t»l«: % B 3 0>agSA#«331 
^LTBrT** UVi/Chal Ienge604£ LT^^-TT 7 V 
h#«61tc2£* (ST 6 3 0 3) „ 
[0 15 4] ZtllZ$tiLT<7'7<<7 7 > h#IS6HC^T 
li. BrI** U>v>Chal lenge604liB 1 <0&§fi#|ft31 
ITWMrtu ** UVv F aa61036^asSrftTS I V> 
imfi«BJi»#«612l«:aSSft* (ST 6 1 0 4) 0 * 
IS/ vy v a #S31 7(i, *UJ8B pT#JH^BB159]6101 tf^ 
*.SftTl^fll^l;:. i5I3«Sffi§B«#«316 «fe y / \ -y -> 



a«3113*f#Ts /Vy^affi3113lcW»E»3112£Wffl 

i°ia6io2 <h obtest *«»a>/ \-r>i h ^a 

-oT. *£S<D£f9VVy->afil6104£, 
«#&612lC&* 0 Bl^ttffinttBffi#a612». *JE 
BRl#llilgIfiiifil610lA^*6ftTL^li$tC. 
•y 2/ affi6104<i: * -V U V ^SL»6103<h OF^T «y h SO 
*ffl»B«ffl3IW*ff ft£L*£Qy \ * is afil6105* 
ftJffiU »ia>»a«#«311*^LTBRry+U>^ 
/SSResponse605<5: LTBRT+f — /^g63tCjg^ ( S T 
6 10 5, S T 6 1 0 6) o /\y->aB£Htfft#fi£ 

y. iKDHSL^S/X^i/afileiOSB/^X^-KPW, a 

£C<ttfT^ai>/c#>. £<7>m£&Mv/v'afil6105U: 
cfc f/U7- KPW *SQ*IES »f T*£ £ £ £ ;fx 
^•ft^o $fcv iaStC3"3b^(S*i$ir*«y\^i> affile 
fctt^/\^i/a>||gH^|fta^<tT5S:^ftT^^fc 
46, C O^Sy \ a ffi61043b> 6 WD&W \ v z/ a ffi^ 

te. ;\'r>2»Itt- iKtcBg^sSJ: y 1 1 o om± 

Bjrr£££**u B«a«»T*ft»Bi#*ffl^fea 

[0 15 5] CfttC»LTBpT+f-y\^®63lCfc^T 
t*. BpT^-^ U>> ? lSS : Response605Bm3a)3Sg^i# 
®331T*gfi**U «a*«/\y>affi6308#ttHl*ft 
Tm2CD8ffteW§iS3Rl#lft633lC^eft^ (S T 6 3 0 
4) o S2<7)Sff6«iS^«]#|ft633B> ^^UV^SL»6 
307 1 m$L&&J Wis 3. fi!6308 <t CDP^T t: y h S<7)Sf<6 
MSiSfQSg^fra^T, ^©/\^i/affi6309^?fTm 
3^|ft/\^i/a#ia336tcS^ (ST6 3 0 5) . B 
3 V>S,W #S336B. \ y ~> a ffi6309tC?iJ 

^0»63O6tcfflSr^^a^M^i/a>Sg^^55:oT, 
»IRO-*^«/ \ *y 5> a ffi3314^BRl^^#©337lcS 
BpT^?S337tiI2!5, B6(D«$tl3ttlC»ff 
U BRJii»37 r -^3315^S3(7>iM§«#|ft331^L 
TBpJji5EQResult308<b LT^W^V h#©61lC^ 
y, Izr-ITy h#&6HCfc^T§flT*-ft^ 0 ftfcU 
BliE^ 1 >r h SJfeji^Re j ect606<Ogfltc ct: y ^Ift/ \ *y 

-> a fi33 1 2<Dm&tfto±2ntcm£im z om y zi*a 

t> (ST6 3 0 6, ST6 3 0 7) c C^>^C<fcy. 
<7^-TT> h#lft6U*/\'X , 7- KP W^BHT+f-/^S 
63^^46fcB=#tJ:^t-C^a<, nlH]^TBIiE^<r 
*y h305^^LT«aOBRj+t-/\ w #StcJtrLTfyffl 
BrI*»*C4:#T**. 
[0 15 6] 3ifc\ J^©BBW**7*f7 y >h#«61 
tC^>l>TfUfflBRT^III^/£:VtC*S/\'yi/affi^i+g'r 

^*®/ \ y a m*Wm$tM LT«ie&IB18#lft316tcfa 
ttfT^WfiEi: LTtiAt% ^^D^, «S&iB1£#&316 
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[0 15 7] Z.<D&z>lZ % CtD&tmKTtt. BM^fr 

[0.158] (» 8 DftttOflSn) « 8 OHJfiJfcflg^H 

[0 15 9] H2 01*. COKBES/X^/x^rn 
fcgVT^Q h3ik>-^V70T'$^o H2 0U:J5l^T 
HI 4fcJM:*a>tt* *5-f7*> h#«71. KBEIt— 
#«72»UWW-/t#«73T*oT\ ^6tcS2(^iS 
/^#«74*aiDLTt^*. BpTBStAuthor 
ize Request701^f!JffllHiak*ttift-3iS, fgqJg^Au 
thorize Request 70 1 StJfgliE^ <r •> h Ticket 305£glt 
fcB pJtl- -/ f#S73#B Rl^Author i ze Request701& 
tffgBE*^ h305^6?XttiL/c^>r^ h«»J*T I D 

f^7h JIMS^I nqu i ry702£I8BE+J—/ \*#|ft723;/c 
m2(DfgpJ+t-/^#®74^\2S^/S x C*Uc»LT*Wc 
/SUTKBE^y hJg«aWReject705^igTrtl§^ 
fgpj^* UVi^Chal lenge703^iJffll2]|»ktD«t>UtC§ 

* UVv>^Response7046V\"7.7- KP W<tSLS£R 0 
£<Di«SlottLTn-k + 1 «a)/\y>a3l»H*SBL 

[0160] C0)7?a{C<fcUv ^-YT 7 :/ h^K7U*/\° 
X r 7-KPW^ISRT+f-/\ w #S73. m2CD|gpJ^-/^ 
S74^A6fcmH#ti:0^rci:^:<. nESTBBE* 
h304*H«f*tlfcBBE^^y K501*«fflLT*Jffl 
BpT*»*C<k38«T**, f'JffilHiak^^^^ZV 
71fr6BpI»- K#«73*ttLTBBE*$"> h**f5L 
fcBH*-/ t^JTOCftttEfr LftS 2 <Z>m*JV-/ t# 
«74te2&oT*x BE?*-? h304«« 

■toBW- /t#«73. 74T»iilc?UfflRHB*t©i:'r 

[0161] ccD^^tezfa ha/l/i/— ^>x*»ob 
liEvX^ZxCD^^o^Tia 2 1 *#BLfttfSBW3T 
*. 02 1lC&l^Tt»B1 5<fc«&*(Dtt. l^-iTy 
h#«71, BE*- /f#«72* BrT*-/^«73T*o 
T> ffSiC«2a>BRl1t-/^«74*iWraLT^*. $ 
fc, <77-T7 7 > h#fK7UCfit^TBl 5<D^5<7 7 > h 

^MEEBkSBBT**** »*«»*B#«7n* 

h«»#«5ll©f«toyfcKW\ tfy 
WBafPSMUcfra^W 1 0&Hfitttt9n¥R712«H 



«72lCfiL*THl 5 0BBE-9— A#«32<kWft*4)M\ 

*s«a#«72i*»*t, — woe«*aa&fcjSic» 

*o BRT"9--/^S73tCiJ^TBI1 5(£i8qj+t- 

/*#8S3i:Bft*4>tt* BE^frv hO^r-y hB»J? 

***** hISrflfS731^f>r7 h¥iJJ§Vl#Bt5 

2©SU)t^a#«732. tf v hffOMHBnWHDBIR* 
fi&9W2©aH6MB»H#«733*KW\ -»Ol8B 
*3M&fcj£fc** 0 »2(OBrJ-9— /^S74«Rpr-9— 

[0 16 2] **rv htttBVNtfllJ: LTtt* ** 
*y hfim¥K511&m«a)«ia(CHffiBltta>tfff«fTQ: 

!SS«1#I9:712, 733<hLTt*. ffll5ltfB31SH3^flefflT* 
h*H5«B#IB721£LTH:. WAtfy- 

saaatfitwisiffi ^^g&o^ * y */ \v x £ cd«s^ 

*»cJ:y«teE7»«. ***y KJE*nra#«731iLT 
tt, BAtfx-^OftliM^tfftt^BaBaBfcMfflia 

■*Bdr*mnBB&tfitiSBiB&*«op< « y * 
^732i:LTti. &&&i£&m24tmm<Dm!$,&i£m? 

[0 16 3] lX±CD^5(C^^nfclSliEvXxACDi<j 
m»l^TB2 2*»BL*^6Kfl8r*. 
iSIIS^Authenticate Request301««BBE^^y 

aft n * 1 1 a 5 msiz-D^Tmn? Z> 0 

[0 16 4] a-lfBSE^UKCfeW-S^^-f^V 
h#«7iatfBBE»-/^#«72tcfcn**BftttB 1 5. 

01 6<7)^^f5(jffi«T\ mi&ttizitizmv—/^& 

72^V<7^^T> h^m^mm+'rv Hicket304^ 
^eti^So fcfcU ^7-T7 7 > h#«7Ucfet^T«. ^ 

31#S711^t3S:3c *fcBBE*-/^«72lC*5t^T 
tix ISIiES^Authenticate Request30l3b x 61XaiT*"tl/c 
^ais]a7201 * \7i/a #a325^tFfgE : ?«jtlD# 

m28<omfr**y hBff«a#«72Hctas*i. 

/ \^S'J : ? : 7202tilSliIE^J,n#IS328CDt5^^^ y h *ff 
VB«B721(c«iS6tu y^-y hBM?£tt#IB3277 
ftrt*tlfc^^ 'V hBS»J^7203ttBBE?«»D#S328O 
Bat^^y K»ff«a#fi!l721(cti5S6n*o h 
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5lfifIfg721IJIiffLftf^7 h <JZ h^gJlLT 
fcU. h ISSU : ?-7203 «h / ^SU^7202 «t ^JSjlS 

»72oi twjpmpj^m&L^rmt LTonaoiasm 

01<D*l£*>r vb'JXb KilfiD LIEUT -5 ( S T 7 2 0 

1) . 

[0 16 5] CftKttLT? 5-f7'Vh#i871K£^T 
Bif*y HTicket304tiSI1<D&§fI#|ft3nT'g 
«S*U I8il9 : '7--y hf- S'3110*<lZtiJ*nTMie9 l '7- 

33MS711li. fggB^-;/ I-t 1 — $r3110£+>— /\"»J?3 

ioit«t6-3t*T«»u hx-^sataj 
(st 7 i o i ) . mmv&^mmms]mwmt)^fLe> 

|g31l£:rt-LTfSlI^*-y hTicket305<fcLT\ £fc. 5£ 
yfUBRFIBBiMr 1 MUTt^^TWBE^'y KrSKttl 
LfcWasfMrSgi < C<bi::«t »J* fcWfflI=Ijtt7102* 
(ST7102) Jg1 (DjMg{ffMa31l£rt-LTIgpJg 
^Authorize Request701i LT> tlBRJIt-/^ 
S73lci3iy (ST 7 1 0 3) . ■saizglSET'rv h?- 
*fr61Mi LfcW5»la]iS31 12^*18/ \-> ->a#©317lc 

[0 16 6] dtltC*tLT^pT+f-/\^l573tC^T 
it. mL**y Kicket305&tfB^B#Authorize Req 
uest70nim3Oj|S§fi#lft331TSfi^tL. BKE^v 

h BHl**lTBI»ttBE#«333lcaSS 

*u f'jffl@a73oi*^as7!rtiT^^y hE»rwi#«73 

Kcigetl^ (ST 7 3 0 1 ) o 

[0 16 7] KrIH-B5#S332. KISE?«EE#lft333SIf 
^<r^ hW»W3£#«334ttBI1 5, Ell etDif^t* 
fflRiatElM^L, fcfcU +f-Ml$sy^7302te^>ru/ h 
«»«£#«334<D«jb^$-y hKBrBS#«731U:*,iS 
S*U ^«lil«17303«^>ry hSSr*B#«731&tfB 
2^gL»^#lft732tCSetl^o hwitimm^ 
miUtWfiLfc+'rv h'JXh^gSLTfcy, 
il«7303zy4*Stl*&* ^>ru/ hB«J?3305£1t-/t 
B»J*7302 i jpj fl§ [38*730 ItSIJgLTBBEf^yHI 
ESS£7 r -*7304*f#T, Sg3<D&gffi#fa331*rtL 
T»fi««W«3080)SriM»-/^«72*ft«IB2 
<DBrT9— / ^«74^BBE^ ^ <;/ h JBEB6 I nqu i ry702 
*m*££*>lz x ^*r-j h KSU^3305 £ /«OJ?73 
02tWttH»730l tHy«fflpJ(IEIBtt*^r«4: LTO 
3 S»S»730l(DH*^^y h y X MCilfflLK«T* 

(ST7 3 0 2) o 

[0 16 8] Ctl*gttfcBII+f-M#ia72T^ KGE 
BEB& | nqu i ry702tiS 2 <D&§{1#8:321 T 

Sflartu H«8iJ?i:V-/«gy?tfijffligRt 
£^/cBSE*>ry h^M^^7 r -^7205i:LTB5fB^ 
*v h^iT^S#l572Hci2l6n^c bJIB*^ K^t 
««^S721(*. BfiE^* HBBIIffldx— *7205z>S 
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